commit | author | age
|
e2d605
|
1 |
--- |
S |
2 |
- name: Step 00xxxxx post software |
|
3 |
hosts: support |
|
4 |
gather_facts: False |
|
5 |
become: yes |
|
6 |
vars_files: |
|
7 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
8 |
tasks: |
|
9 |
- name: Create user vols |
|
10 |
shell: "mkdir -p /srv/nfs/user-vols/vol{1..{{user_vols}}}" |
|
11 |
- name: chmod the user vols |
|
12 |
shell: "chmod -R 777 /srv/nfs/user-vols" |
|
13 |
|
|
14 |
- name: Step 00xxxxx post software |
|
15 |
hosts: bastions |
|
16 |
run_once: true |
|
17 |
gather_facts: False |
|
18 |
become: yes |
|
19 |
vars_files: |
|
20 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
21 |
tasks: |
|
22 |
- when: install_nfs|bool |
|
23 |
block: |
|
24 |
- name: get nfs Hostname |
|
25 |
set_fact: |
|
26 |
nfs_host: "{{ groups['support']|sort|first }}" |
|
27 |
|
|
28 |
- set_fact: |
|
29 |
pv_size: '10Gi' |
|
30 |
pv_list: "{{ ocp_pvs }}" |
|
31 |
persistentVolumeReclaimPolicy: Retain |
|
32 |
|
|
33 |
- name: Generate PV file |
|
34 |
template: |
|
35 |
src: "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/files/pvs.j2" |
|
36 |
dest: "/root/pvs-{{ env_type }}-{{ guid }}.yml" |
|
37 |
tags: [ gen_pv_file ] |
|
38 |
when: pv_list.0 is defined |
|
39 |
|
|
40 |
- set_fact: |
|
41 |
pv_size: "{{user_vols_size}}" |
|
42 |
persistentVolumeReclaimPolicy: Recycle |
|
43 |
|
|
44 |
notify: restart nfs services |
|
45 |
run_once: True |
|
46 |
|
|
47 |
- name: Generate user vol PV file |
|
48 |
template: |
|
49 |
src: "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/files/userpvs.j2" |
|
50 |
dest: "/root/userpvs-{{ env_type }}-{{ guid }}.yml" |
|
51 |
tags: |
|
52 |
- gen_user_vol_pv |
|
53 |
|
|
54 |
- shell: 'oc create -f /root/pvs-{{ env_type }}-{{ guid }}.yml || oc replace -f /root/pvs-{{ env_type }}-{{ guid }}.yml' |
|
55 |
tags: |
|
56 |
- create_user_pv |
|
57 |
when: pv_list.0 is defined |
|
58 |
|
|
59 |
- shell: 'oc create -f /root/userpvs-{{ env_type }}-{{ guid }}.yml || oc replace -f /root/userpvs-{{ env_type }}-{{ guid }}.yml' |
|
60 |
tags: |
|
61 |
- create_user_pv |
|
62 |
|
|
63 |
- name: For CNS change default storage class to glusterfs-storage (3.9.27, 3.9.30) |
|
64 |
hosts: masters |
|
65 |
run_once: true |
|
66 |
become: yes |
|
67 |
gather_facts: False |
|
68 |
vars_files: |
|
69 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
70 |
tags: |
|
71 |
- env-specific |
|
72 |
- env-specific_infra |
|
73 |
- storage-class |
|
74 |
tasks: |
|
75 |
- when: |
|
76 |
- osrelease is version_compare('3.9.27', '>=') |
|
77 |
- osrelease is version_compare('3.9.30', '<=') |
|
78 |
- install_glusterfs|bool |
|
79 |
block: |
|
80 |
- name: Set glusterfs-storage class to default |
|
81 |
command: > |
|
82 |
oc patch storageclass glusterfs-storage |
|
83 |
-p '{"metadata": {"annotations": {"storageclass.kubernetes.io/is-default-class": "true"}}}' |
|
84 |
register: changesc_r |
|
85 |
failed_when: |
|
86 |
- changesc_r.stdout.find('storageclass "glusterfs-storage" not patched') == -1 |
|
87 |
- changesc_r.rc != 0 |
|
88 |
changed_when: changesc_r.stdout.find('storageclass "glusterfs-storage" patched') != -1 |
|
89 |
- name: Remove default from glusterfs-storage-block class |
|
90 |
register: changesc_r |
|
91 |
changed_when: changesc_r.stdout.find('storageclass "glusterfs-storage-block" patched') != -1 |
|
92 |
failed_when: |
|
93 |
- changesc_r.stdout.find('storageclass "glusterfs-storage-block" not patched') == -1 |
|
94 |
- changesc_r.rc != 0 |
|
95 |
command: > |
|
96 |
oc patch storageclass glusterfs-storage-block |
|
97 |
-p '{"metadata": {"annotations": {"storageclass.kubernetes.io/is-default-class": "false"}}}' |
|
98 |
|
|
99 |
- name: Configure Bastion for CF integration |
|
100 |
hosts: bastions |
|
101 |
become: yes |
|
102 |
gather_facts: False |
|
103 |
vars_files: |
|
104 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/mgr_users.yml" |
|
105 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
106 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml" |
|
107 |
tags: |
|
108 |
- env-specific |
|
109 |
- cf_integration |
|
110 |
- opentlc_integration |
|
111 |
tasks: |
|
112 |
- name: Configure Bastion |
240bb5
|
113 |
include_role: |
e2d605
|
114 |
name: "{{ ANSIBLE_REPO_PATH }}/roles/opentlc-integration" |
S |
115 |
vars: |
|
116 |
no_log: yes |
|
117 |
when: install_opentlc_integration|bool |
|
118 |
- name: Copy /root/.kube to ~opentlc-mgr/ |
|
119 |
command: "cp -rf /root/.kube /home/opentlc-mgr/" |
|
120 |
when: install_opentlc_integration|bool |
|
121 |
|
|
122 |
- name: set permission for .kube |
|
123 |
when: install_opentlc_integration|bool |
|
124 |
file: |
|
125 |
path: /home/opentlc-mgr/.kube |
|
126 |
owner: opentlc-mgr |
|
127 |
group: opentlc-mgr |
|
128 |
recurse: yes |
|
129 |
|
|
130 |
- name: env-specific infrastructure |
|
131 |
hosts: masters |
|
132 |
run_once: true |
|
133 |
become: yes |
|
134 |
gather_facts: False |
|
135 |
vars_files: |
|
136 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
137 |
tags: |
|
138 |
- env-specific |
|
139 |
- env-specific_infra |
|
140 |
tasks: |
|
141 |
- name: Command to enable the wildcard routes in the OCP cluster for 3scale |
|
142 |
shell: "oc set env dc/router ROUTER_ALLOW_WILDCARD_ROUTES=true -n default" |
|
143 |
|
|
144 |
- name: Give administrative user cluster-admin privileges |
|
145 |
command: "oc adm policy add-cluster-role-to-user cluster-admin {{ admin_user }}" |
|
146 |
|
|
147 |
- name: Check for admin_project project |
|
148 |
command: "oc get project {{admin_project}}" |
|
149 |
register: result |
|
150 |
changed_when: false |
|
151 |
ignore_errors: true |
|
152 |
|
|
153 |
- name: Create admin_project project (for OCP before 3.10) |
|
154 |
command: "oc adm new-project {{admin_project}} --admin {{admin_user}} --node-selector='env=infra'" |
|
155 |
when: |
|
156 |
- result | failed |
|
157 |
- osrelease is version_compare("3.10", "<") |
|
158 |
|
|
159 |
- name: Create admin_project project (for OCP 3.10+) |
|
160 |
command: "oc adm new-project {{admin_project}} --admin {{admin_user}} --node-selector='node-role.kubernetes.io/infra=true'" |
|
161 |
when: |
|
162 |
- result | failed |
|
163 |
- osrelease is version_compare("3.10", ">=") |
|
164 |
|
|
165 |
- name: Make admin_project project network global |
|
166 |
command: "oc adm pod-network make-projects-global {{admin_project}}" |
|
167 |
when: ovs_plugin == "multitenant" |
|
168 |
|
|
169 |
- name: Set admin_project SCC for anyuid |
|
170 |
command: "oc adm policy add-scc-to-group anyuid system:serviceaccounts:{{admin_project}}" |
|
171 |
|
|
172 |
- name: Add capabilities within anyuid which is not really ideal |
|
173 |
command: "oc patch scc/anyuid --patch '{\"requiredDropCapabilities\":[\"MKNOD\",\"SYS_CHROOT\"]}'" |
|
174 |
ignore_errors: true |
|
175 |
|
|
176 |
- name: Set Node Selector to empty for project openshift-template-service-broker |
|
177 |
shell: oc annotate namespace openshift-template-service-broker openshift.io/node-selector="" --overwrite |
|
178 |
ignore_errors: true |
|
179 |
when: |
|
180 |
- osrelease is version_compare('3.7', '>=') |
|
181 |
- osrelease is version_compare('3.10', '<') |
|
182 |
|
|
183 |
- name: Remove all users from self-provisioners group |
|
184 |
hosts: masters |
|
185 |
run_once: true |
|
186 |
become: yes |
|
187 |
gather_facts: False |
|
188 |
vars_files: |
|
189 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
190 |
tags: [ env-specific, remove_self_provisioners ] |
|
191 |
tasks: |
|
192 |
- when: remove_self_provisioners|bool |
|
193 |
block: |
|
194 |
- name: Set clusterRoleBinding auto-update to false |
|
195 |
command: oc annotate -n default --overwrite clusterrolebinding.rbac self-provisioners rbac.authorization.kubernetes.io/autoupdate=false |
|
196 |
|
|
197 |
- name: Remove system:authenticated from self-provisioner role |
|
198 |
command: "oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated system:authenticated:oauth" |
|
199 |
ignore_errors: true |
|
200 |
|
|
201 |
- name: create our own OPENTLC-PROJECT-PROVISIONERS |
|
202 |
command: "oc adm groups new OPENTLC-PROJECT-PROVISIONERS" |
|
203 |
ignore_errors: true |
|
204 |
|
|
205 |
- name: allow OPENTLC-PROJECT-PROVISIONERS members to provision their own projects |
|
206 |
command: "oc adm policy add-cluster-role-to-group self-provisioner OPENTLC-PROJECT-PROVISIONERS" |
|
207 |
|
|
208 |
- name: Project Request Template |
|
209 |
hosts: masters |
|
210 |
gather_facts: False |
|
211 |
become: yes |
|
212 |
vars_files: |
|
213 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
214 |
tags: |
|
215 |
- env-specific |
|
216 |
- project_request |
|
217 |
tasks: |
|
218 |
- name: Copy project request template to master |
|
219 |
copy: |
|
220 |
src: ./files/project-template.yml |
|
221 |
dest: /root/project-template.yml |
|
222 |
|
|
223 |
- name: Check for project request template |
|
224 |
command: "oc get template project-request -n default" |
|
225 |
register: request_template |
|
226 |
ignore_errors: true |
|
227 |
|
|
228 |
- name: Create project request template in default project |
|
229 |
shell: "oc create -f /root/project-template.yml -n default || oc replace -f /root/project-template.yml -n default" |
|
230 |
when: request_template | failed |
|
231 |
|
|
232 |
- name: Update master config file to use project request template |
|
233 |
lineinfile: |
|
234 |
regexp: " projectRequestTemplate" |
|
235 |
dest: "/etc/origin/master/master-config.yaml" |
|
236 |
line: ' projectRequestTemplate: "default/project-request"' |
|
237 |
state: present |
|
238 |
register: master_config |
|
239 |
|
|
240 |
- name: Add Project request message |
|
241 |
replace: |
|
242 |
dest: '/etc/origin/master/master-config.yaml' |
|
243 |
regexp: 'projectRequestMessage.*' |
|
244 |
replace: "projectRequestMessage: '{{project_request_message}}'" |
|
245 |
backup: yes |
|
246 |
|
|
247 |
- name: Restart master service (Pre 3.7) |
|
248 |
service: |
|
249 |
name: atomic-openshift-master |
|
250 |
state: restarted |
|
251 |
when: |
|
252 |
- master_config.changed |
|
253 |
- osrelease is version_compare('3.7', '<') |
|
254 |
|
|
255 |
- name: Restart master API service (3.7 - 3.9) |
|
256 |
service: |
|
257 |
name: atomic-openshift-master-api |
|
258 |
state: restarted |
|
259 |
when: |
|
260 |
- master_config.changed |
|
261 |
- osrelease is version_compare('3.7', '>=') |
|
262 |
- osrelease is version_compare('3.10', '<') |
|
263 |
|
|
264 |
- name: Restart master API Pods (3.10+) |
|
265 |
command: /usr/local/bin/master-restart api |
|
266 |
when: |
|
267 |
- master_config.changed |
|
268 |
- osrelease is version_compare('3.10', '>=') |
|
269 |
|
|
270 |
- name: node admin configs |
|
271 |
hosts: nodes |
|
272 |
gather_facts: False |
|
273 |
become: yes |
|
274 |
vars_files: |
|
275 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
276 |
tags: |
|
277 |
- env-specific |
|
278 |
- env_specific_images |
|
279 |
tasks: |
|
280 |
- name: 'Pull Env Specific Images' |
|
281 |
command: "docker pull {{ item }}" |
|
282 |
with_items: '{{ env_specific_images }}' |
|
283 |
when: env_specific_images.0 is defined |
|
284 |
|
|
285 |
- name: Import jenkins images for OCP 3.7 and newer |
|
286 |
hosts: masters |
|
287 |
run_once: true |
|
288 |
become: yes |
|
289 |
gather_facts: False |
|
290 |
vars_files: |
|
291 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
292 |
tags: |
|
293 |
- env-specific |
|
294 |
- env_specific_images |
|
295 |
tasks: |
|
296 |
- when: osrelease is version_compare('3.7', '>=') |
|
297 |
block: |
|
298 |
- name: Remove default Jenkins ImageStream |
|
299 |
command: oc delete is jenkins -n openshift |
|
300 |
ignore_errors: true |
|
301 |
|
|
302 |
- name: Import jenkins from Red Hat Registry |
|
303 |
command: oc tag --source=docker registry.access.redhat.com/openshift3/jenkins-2-rhel7:v{{ repo_version }} openshift/jenkins:v{{ repo_version }} -n openshift |
|
304 |
ignore_errors: true |
|
305 |
|
|
306 |
- name: Tag Jenkins jenkins:latest |
|
307 |
command: oc tag openshift/jenkins:v{{ repo_version }} openshift/jenkins:latest -n openshift |
|
308 |
register: octag_result |
|
309 |
retries: 5 |
|
310 |
delay: 2 |
|
311 |
until: octag_result is succeeded |
|
312 |
ignore_errors: true |
|
313 |
|
|
314 |
- name: Tag Jenkins jenkins:2 |
|
315 |
command: oc tag openshift/jenkins:v{{ repo_version }} openshift/jenkins:2 -n openshift |
|
316 |
register: octag_result |
|
317 |
retries: 5 |
|
318 |
delay: 2 |
|
319 |
until: octag_result is succeeded |
|
320 |
ignore_errors: true |
|
321 |
|
|
322 |
- name: Fix NFS PV Recycling for OCP 3.7 and newer |
|
323 |
gather_facts: False |
|
324 |
become: yes |
|
325 |
hosts: |
|
326 |
- nodes |
|
327 |
- infranodes |
|
328 |
- masters |
|
329 |
vars_files: |
|
330 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
331 |
tags: |
|
332 |
- env-specific |
|
333 |
- install_nfs |
|
334 |
tasks: |
|
335 |
- name: Fix NFS PV Recycling |
|
336 |
when: |
|
337 |
- install_nfs|d(True)|bool |
|
338 |
block: |
|
339 |
- name: Pull ose-recycler Image |
|
340 |
command: docker pull registry.access.redhat.com/openshift3/ose-recycler:latest |
|
341 |
register: pull_result |
|
342 |
retries: 5 |
|
343 |
delay: 10 |
|
344 |
until: pull_result is succeeded |
|
345 |
when: |
|
346 |
- osrelease is version_compare('3.7', '>=') |
|
347 |
|
|
348 |
- name: Tag ose-recycler Image (for OCP 3.7 - 3.9) |
|
349 |
command: > |
|
350 |
docker tag registry.access.redhat.com/openshift3/ose-recycler:latest |
|
351 |
registry.access.redhat.com/openshift3/ose-recycler:v{{ osrelease }} |
|
352 |
when: |
|
353 |
- osrelease is version_compare('3.7', '>=') |
|
354 |
- osrelease is version_compare('3.10', '<') |
|
355 |
|
|
356 |
- name: Tag ose-recycler Image (for OCP 3.10+) |
|
357 |
command: > |
|
358 |
docker tag registry.access.redhat.com/openshift3/ose-recycler:latest |
|
359 |
registry.access.redhat.com/openshift3/ose-recycler:v1.10.0 |
|
360 |
when: |
|
361 |
- osrelease is version_compare('3.10', '>=') |
|
362 |
|
|
363 |
- name: Fix CRI-O Garbage Collection DaemonSet for OCP 3.9 (up to 3.9.25) |
|
364 |
gather_facts: False |
|
365 |
become: yes |
|
366 |
hosts: masters |
|
367 |
run_once: true |
|
368 |
vars_files: |
|
369 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
370 |
tasks: |
|
371 |
- name: Fix cri-o garbage collection |
|
372 |
when: |
|
373 |
- osrelease is version_compare('3.9.0', '>=') |
|
374 |
- osrelease is version_compare('3.9.25', '<=') |
|
375 |
- container_runtime == "cri-o" |
|
376 |
block: |
|
377 |
- name: Patch dockergc DaemonSet |
|
378 |
shell: "oc patch daemonset dockergc --patch='\"spec\": { \"template\": { \"spec\": { \"containers\": [ { \"command\": [ \"/usr/bin/oc\" ], \"name\": \"dockergc\" } ] } } }' -n default" |
|
379 |
ignore_errors: true |
|
380 |
- name: Redeploy dockergc DaemonSet pods |
|
381 |
shell: "oc delete pod $(oc get pods -n default|grep dockergc|awk -c '{print $1}') -n default" |
|
382 |
|
|
383 |
# Install OpenWhisk |
|
384 |
- name: Install OpenWhisk |
|
385 |
hosts: masters |
|
386 |
run_once: true |
|
387 |
gather_facts: False |
|
388 |
become: yes |
|
389 |
vars_files: |
|
390 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
391 |
tags: |
|
392 |
- env-specific |
|
393 |
- install_openwhisk |
|
394 |
tasks: |
240bb5
|
395 |
- include_role: |
e2d605
|
396 |
name: "{{ ANSIBLE_REPO_PATH }}/roles/ocp-infra-openwhisk" |
S |
397 |
when: |
|
398 |
- install_openwhisk|d(False)|bool |
|
399 |
|
|
400 |
# Set up Prometheus/Node Exporter/Alertmanager/Grafana |
|
401 |
# on the OpenShift Cluster |
|
402 |
- name: Install Prometheus and Grafana (Pre 3.10) |
|
403 |
gather_facts: False |
|
404 |
become: yes |
|
405 |
hosts: |
|
406 |
- nodes |
|
407 |
- infranodes |
|
408 |
- masters |
|
409 |
- bastions |
|
410 |
vars_files: |
|
411 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
412 |
tags: |
|
413 |
- install_prometheus |
|
414 |
tasks: |
240bb5
|
415 |
- include_role: |
e2d605
|
416 |
name: "{{ ANSIBLE_REPO_PATH }}/roles/ocp-infra-prometheus-pre310" |
S |
417 |
when: |
|
418 |
- install_prometheus|d(False)|bool |
|
419 |
- osrelease is version_compare("3.10", "<") |
|
420 |
|
|
421 |
# Deploy Grafana Manually until the install playbooks can |
|
422 |
# (3.10 and onwards) |
|
423 |
- name: Pre-pull Grafana Image (3.10+) |
|
424 |
gather_facts: False |
|
425 |
become: yes |
|
426 |
hosts: |
|
427 |
- infranodes |
|
428 |
vars_files: |
|
429 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
430 |
tags: |
|
431 |
- install_prometheus |
|
432 |
tasks: |
|
433 |
- name: Ensure Grafana Image is on Infranodes |
|
434 |
shell: "docker pull docker.io/mrsiano/grafana-ocp:latest" |
|
435 |
when: |
|
436 |
- install_prometheus|d(False)|bool |
|
437 |
- osrelease is version_compare("3.10", ">=") |
|
438 |
|
|
439 |
- name: Install Grafana (3.10+) |
|
440 |
gather_facts: False |
|
441 |
become: yes |
|
442 |
hosts: |
|
443 |
- bastions |
|
444 |
run_once: true |
|
445 |
vars_files: |
|
446 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
447 |
tags: |
|
448 |
- install_prometheus |
|
449 |
tasks: |
|
450 |
- when: |
|
451 |
- install_prometheus|bool |
|
452 |
- osrelease is version_compare("3.10", ">=") |
|
453 |
block: |
|
454 |
- name: Check if Grafana is already there |
|
455 |
command: "oc get project openshift-grafana" |
|
456 |
register: grafana_exists |
|
457 |
changed_when: False |
|
458 |
ignore_errors: true |
|
459 |
- name: Run Grafana Installation Playbook |
|
460 |
shell: "ansible-playbook -i /etc/ansible/hosts /usr/share/ansible/openshift-ansible/playbooks/openshift-grafana/config.yml" |
|
461 |
when: grafana_exists is failed |
|
462 |
- name: Add admin permissions to admin_user for Grafana project |
|
463 |
shell: "oc policy add-role-to-user admin {{admin_user}} -n openshift-grafana" |
|
464 |
when: grafana_exists is failed |
|
465 |
|
|
466 |
# Update Firewall Rules for Node Exporter to work (3.10 and onwards). |
|
467 |
- name: Node Exporter and Grafana Configuration (3.10+) |
|
468 |
gather_facts: False |
|
469 |
become: yes |
|
470 |
hosts: |
|
471 |
- nodes |
|
472 |
- infranodes |
|
473 |
- masters |
|
474 |
vars_files: |
|
475 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
476 |
tags: |
|
477 |
- install_prometheus |
|
478 |
tasks: |
|
479 |
- when: |
|
480 |
- install_prometheus|d(False)|bool |
|
481 |
- osrelease is version_compare("3.10", ">=") |
5570da
|
482 |
- osrelease is version_compare("3.10.34", "<") |
e2d605
|
483 |
block: |
S |
484 |
# Node Exporters on all Nodes liston on port 9100. |
|
485 |
# Open Firewall Port 9100 for future sessions by adding |
|
486 |
# the rule to the iptables file. |
|
487 |
- name: Open Firewall port 9100 for future sessions |
|
488 |
lineinfile: |
|
489 |
dest: /etc/sysconfig/iptables |
|
490 |
insertafter: '-A FORWARD -j REJECT --reject-with icmp-host-prohibited' |
|
491 |
line: '-A OS_FIREWALL_ALLOW -p tcp -m state --state NEW -m tcp --dport 9100 -j ACCEPT' |
|
492 |
state: present |
|
493 |
# Open Firewall Port 9100 for current session by adding |
|
494 |
# the rule to the current iptables configuration. We won't |
|
495 |
# need to restart the iptables service - which will ensure |
|
496 |
# all OpenShift rules stay in place. |
|
497 |
- name: Open Firewall Port 9100 for current session |
|
498 |
iptables: |
|
499 |
action: insert |
|
500 |
protocol: tcp |
|
501 |
destination_port: 9100 |
|
502 |
state: present |
|
503 |
chain: OS_FIREWALL_ALLOW |
|
504 |
jump: ACCEPT |
|
505 |
|
|
506 |
- name: Customize Service Catalog UI for workshops |
|
507 |
hosts: masters |
|
508 |
run_once: true |
|
509 |
gather_facts: False |
|
510 |
become: yes |
|
511 |
vars_files: |
|
512 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
513 |
tasks: |
|
514 |
- name: Customize Service Catalog UI for workshops |
240bb5
|
515 |
include_role: |
e2d605
|
516 |
name: "{{ ANSIBLE_REPO_PATH }}/roles/ocp-infra-enable-custom-catalog" |
S |
517 |
when: enable_workshops_catalog|d(False)|bool |
|
518 |
tags: |
|
519 |
- env-specific |
|
520 |
- custom_ui |
|
521 |
|
|
522 |
- name: Install Nexus |
|
523 |
hosts: masters |
|
524 |
run_once: true |
|
525 |
gather_facts: False |
|
526 |
become: yes |
|
527 |
vars_files: |
|
528 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
529 |
tasks: |
240bb5
|
530 |
- include_role: |
e2d605
|
531 |
name: "{{ ANSIBLE_REPO_PATH }}/roles/ocp-infra-nexus" |
S |
532 |
vars: |
|
533 |
desired_project: "{{admin_project}}" |
|
534 |
nexus_version: "3" |
|
535 |
when: install_nexus|d(False)|bool |
|
536 |
tags: |
|
537 |
- env-specific |
|
538 |
- install_nexus |
|
539 |
|
|
540 |
- name: Install AWS Broker |
|
541 |
hosts: masters |
|
542 |
run_once: true |
|
543 |
gather_facts: False |
|
544 |
become: yes |
|
545 |
vars_files: |
|
546 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
547 |
tags: |
|
548 |
- env-specific |
|
549 |
- install_aws_broker |
|
550 |
tasks: |
240bb5
|
551 |
- include_role: |
e2d605
|
552 |
name: "{{ ANSIBLE_REPO_PATH }}/roles/ocp-infra-aws-service-broker" |
S |
553 |
when: install_aws_broker|d(False)|bool |
|
554 |
|
|
555 |
- name: Update Ansible (Automation) Broker to show images from DockerHub |
|
556 |
hosts: masters |
|
557 |
run_once: true |
|
558 |
gather_facts: False |
|
559 |
become: yes |
|
560 |
vars_files: |
|
561 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
562 |
tags: |
|
563 |
- env-specific |
|
564 |
- install_openshiftapb |
|
565 |
tasks: |
|
566 |
- name: Update ASB |
240bb5
|
567 |
include_role: |
e2d605
|
568 |
name: "{{ ANSIBLE_REPO_PATH }}/roles/openshift-ansible-broker" |
S |
569 |
when: install_openshiftapb|d(False)|bool |
|
570 |
|
|
571 |
- name: Install Maistra (Istio) |
|
572 |
hosts: masters |
|
573 |
run_once: true |
|
574 |
gather_facts: False |
|
575 |
become: yes |
|
576 |
vars_files: |
|
577 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
578 |
tags: |
|
579 |
- env-specific |
|
580 |
- install_maistra |
|
581 |
tasks: |
|
582 |
- name: Install Maistra |
240bb5
|
583 |
include_role: |
e2d605
|
584 |
name: "{{ ANSIBLE_REPO_PATH }}/roles/ocp-infra-maistra" |
S |
585 |
vars: |
|
586 |
openshift_master_public: "{{ master_lb_dns }}" |
|
587 |
when: install_maistra|d(False)|bool |
|
588 |
|
|
589 |
# WK Added for RHTE |
f95237
|
590 |
# Install Infrastructure workloads first |
WK |
591 |
- name: Install ocp-infra workloads |
|
592 |
hosts: masters |
|
593 |
gather_facts: false |
|
594 |
run_once: true |
|
595 |
become: yes |
|
596 |
vars_files: |
|
597 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
598 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml" |
|
599 |
tasks: |
|
600 |
- name: Install ocp-infra workloads |
|
601 |
when: |
|
602 |
- infra_workloads|d("")|length > 0 |
|
603 |
block: |
|
604 |
- name: Check if admin_user is set |
|
605 |
fail: |
|
606 |
msg: admin_user must be set for ocp-infra workloads |
|
607 |
when: |
|
608 |
- not admin_user is defined or admin_user|length == 0 |
|
609 |
- name: Install ocp-infra-workloads |
|
610 |
when: |
|
611 |
- infra_workloads|d("")|length >0 |
|
612 |
block: |
|
613 |
- name: Deploy ocp-infra workloads |
|
614 |
include_role: |
5c4f36
|
615 |
name: "{{ ANSIBLE_REPO_PATH }}/roles/{{ workload_loop_var }}" |
f95237
|
616 |
vars: |
WK |
617 |
admin_user: "{{ admin_user }}" |
5c4f36
|
618 |
ocp_username: "{{ admin_user }}" |
f95237
|
619 |
ACTION: "provision" |
WK |
620 |
loop: "{{ infra_workloads.split(',')|list }}" |
|
621 |
loop_control: |
|
622 |
loop_var: workload_loop_var |
|
623 |
|
|
624 |
# Install User Workloads second |
240bb5
|
625 |
- name: Install ocp-workload workloads for multiple Users |
WK |
626 |
hosts: masters |
|
627 |
gather_facts: false |
|
628 |
run_once: true |
|
629 |
become: yes |
|
630 |
vars_files: |
|
631 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
632 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml" |
|
633 |
tasks: |
|
634 |
- name: Install ocp-workloads |
|
635 |
when: |
|
636 |
- num_users|d(0)|int > 0 |
|
637 |
- student_workloads|d("")|length > 0 |
|
638 |
block: |
|
639 |
- name: Check if authentication mechanism is set to htpasswd |
|
640 |
fail: |
|
641 |
msg: Authentication Mechanism must be htpasswd |
|
642 |
when: |
|
643 |
- install_idm|d("") != "htpasswd" |
|
644 |
- name: Check if remove_self_provisioners=true |
|
645 |
fail: |
|
646 |
msg: remove_self_provisioners must be set to true |
d345b4
|
647 |
tags: |
GC |
648 |
- remove_self_provisioners |
240bb5
|
649 |
when: |
WK |
650 |
- not remove_self_provisioners|d(False)|bool |
e2d605
|
651 |
|
240bb5
|
652 |
- name: Generate list of User IDs |
WK |
653 |
set_fact: |
|
654 |
users: "{{ lookup('sequence', 'start=1 end={{ num_users|int }}', wantlist=true) | map('int') | list }}" |
e2d605
|
655 |
|
240bb5
|
656 |
- name: Deploy ocp-workloads for each user ID |
WK |
657 |
include_role: |
|
658 |
name: "{{ ANSIBLE_REPO_PATH }}/roles/{{ workload_loop_var[1] }}" |
|
659 |
vars: |
|
660 |
ocp_username: "user{{ workload_loop_var[0] }}" |
|
661 |
ACTION: "provision" |
|
662 |
loop: "{{ users | product(student_workloads.split(','))|list }}" |
|
663 |
loop_control: |
|
664 |
loop_var: workload_loop_var |
e2d605
|
665 |
# WK Added for RHTE End |
S |
666 |
|
|
667 |
- name: Zabbix for masters |
|
668 |
hosts: masters |
|
669 |
gather_facts: true |
|
670 |
become: yes |
|
671 |
vars_files: |
|
672 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
673 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml" |
|
674 |
vars: |
|
675 |
zabbix_auto_registration_keyword: OCP Master |
240bb5
|
676 |
tasks: |
WK |
677 |
- when: install_zabbix|bool |
|
678 |
block: |
|
679 |
- include_role: |
|
680 |
name: "{{ ANSIBLE_REPO_PATH }}/roles/zabbix-client" |
|
681 |
- include_role: |
|
682 |
name: "{{ ANSIBLE_REPO_PATH }}/roles/zabbix-client-openshift-master" |
|
683 |
- include_role: |
|
684 |
name: "{{ ANSIBLE_REPO_PATH }}/roles/zabbix-client-openshift-node" |
e2d605
|
685 |
tags: |
S |
686 |
- env-specific |
|
687 |
- install_zabbix |
|
688 |
|
|
689 |
- name: Zabbix for nodes |
|
690 |
hosts: |
|
691 |
- nodes |
|
692 |
- infranodes |
|
693 |
gather_facts: true |
|
694 |
become: yes |
|
695 |
vars_files: |
|
696 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
697 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml" |
|
698 |
vars: |
|
699 |
zabbix_auto_registration_keyword: OCP Node |
|
700 |
zabbix_token: "{{ hostvars[groups['masters'][0]].zabbix_token }}" |
|
701 |
hawkular_route: "{{ hostvars[groups['masters'][0]].hawkular_route }}" |
240bb5
|
702 |
tasks: |
WK |
703 |
- when: install_zabbix|bool |
|
704 |
block: |
|
705 |
- include_role: |
|
706 |
name: "{{ ANSIBLE_REPO_PATH }}/roles/zabbix-client" |
|
707 |
- include_role: |
|
708 |
name: "{{ ANSIBLE_REPO_PATH }}/roles/zabbix-client-openshift-node" |
e2d605
|
709 |
tags: |
S |
710 |
- env-specific |
|
711 |
- install_zabbix |
|
712 |
|
|
713 |
- name: Zabbix for all other hosts (bastion, support, ...) |
|
714 |
hosts: |
|
715 |
- bastions |
|
716 |
- support |
|
717 |
gather_facts: true |
|
718 |
become: yes |
|
719 |
vars_files: |
|
720 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
721 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml" |
|
722 |
vars: |
|
723 |
zabbix_auto_registration_keyword: OCP Host |
240bb5
|
724 |
tasks: |
2ea4ed
|
725 |
- when: install_zabbix|bool |
240bb5
|
726 |
include_role: |
WK |
727 |
name: "{{ ANSIBLE_REPO_PATH }}/roles/zabbix-client" |
e2d605
|
728 |
tags: |
S |
729 |
- env-specific |
|
730 |
- install_zabbix |
|
731 |
|
|
732 |
# start supporting this only for OCP >= 3.9 |
|
733 |
- name: Run diagnostics from master |
|
734 |
hosts: masters |
|
735 |
become: yes |
|
736 |
gather_facts: False |
|
737 |
run_once: yes |
|
738 |
vars_files: |
|
739 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
740 |
tasks: |
|
741 |
- when: |
|
742 |
- osrelease is version_compare('3.9', '>=') |
|
743 |
- run_ocp_diagnostics|d(False)| bool |
|
744 |
block: |
|
745 |
# this command should return 0 (no error) |
|
746 |
- name: Run oc adm diagnostics |
|
747 |
shell: oc adm diagnostics > /tmp/diagnostics.log |
|
748 |
register: r_diag |
|
749 |
retries: 2 |
|
750 |
until: r_diag is succeeded |
|
751 |
ignore_errors: true |
|
752 |
|
|
753 |
- name: Ensure /tmp/openshift exist |
|
754 |
file: |
|
755 |
path: /tmp/openshift |
|
756 |
state: directory |
|
757 |
|
|
758 |
# oc adm diagnostics logs everything in /tmp/openshift |
|
759 |
- name: Create an archive of diagnostics output logs |
|
760 |
archive: |
|
761 |
path: |
|
762 |
- /tmp/openshift |
|
763 |
- /tmp/diagnostics.log |
|
764 |
dest: /tmp/diagnostics.tar.gz |
|
765 |
|
|
766 |
- name: Fetch the diagnostic archive and logs |
|
767 |
fetch: |
|
768 |
src: /tmp/diagnostics.tar.gz |
|
769 |
dest: "{{ANSIBLE_REPO_PATH}}/workdir/{{project_tag}}_diagnostics.tar.gz" |
|
770 |
flat: true |
|
771 |
|
|
772 |
- name: Report diagnostics failure |
|
773 |
fail: |
|
774 |
msg: "FAIL {{ project_tag }} Diagnostics" |
|
775 |
when: r_diag is failed |
|
776 |
|
|
777 |
- name: Configure IPA on bastion |
|
778 |
hosts: bastions |
|
779 |
become: yes |
|
780 |
gather_facts: False |
|
781 |
run_once: yes |
|
782 |
vars_files: |
|
783 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
784 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml" |
|
785 |
tasks: |
240bb5
|
786 |
- include_role: |
e2d605
|
787 |
name: "{{ ANSIBLE_REPO_PATH }}/roles/bastion-opentlc-ipa" |
S |
788 |
when: install_ipa_client|bool |
|
789 |
|
|
790 |
- name: PostSoftware flight-check |
|
791 |
hosts: localhost |
|
792 |
connection: local |
|
793 |
gather_facts: false |
|
794 |
become: false |
|
795 |
vars_files: |
|
796 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
797 |
tags: |
|
798 |
- post_flight_check |
|
799 |
tasks: |
|
800 |
- debug: |
|
801 |
msg: "Post-Software checks completed successfully" |
|
802 |
|
|
803 |
- name: Gather facts |
|
804 |
hosts: |
|
805 |
- all |
|
806 |
vars_files: |
|
807 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
808 |
gather_facts: true |
|
809 |
tags: |
|
810 |
- ocp_report |
|
811 |
|
|
812 |
- name: Generate reports |
|
813 |
hosts: localhost |
|
814 |
connection: local |
|
815 |
become: false |
|
816 |
|
|
817 |
vars_files: |
|
818 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" |
|
819 |
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml" |
|
820 |
tags: |
|
821 |
- ocp_report |
|
822 |
vars: |
|
823 |
env_all_hosts: all |
|
824 |
tasks: |
|
825 |
- name: get repo version used to deploy |
|
826 |
command: git rev-parse HEAD |
|
827 |
args: |
|
828 |
chdir: "{{ ANSIBLE_REPO_PATH }}" |
|
829 |
register: ansible_agnostic_deployer_head |
|
830 |
|
|
831 |
- name: Gather ec2 facts |
|
832 |
ec2_remote_facts: |
|
833 |
aws_access_key: "{{ aws_access_key_id }}" |
|
834 |
aws_secret_key: "{{ aws_secret_access_key }}" |
|
835 |
region: "{{ aws_region_final|d(aws_region) }}" |
|
836 |
filters: |
|
837 |
instance-state-name: running |
|
838 |
"tag:Project": "{{project_tag}}" |
|
839 |
when: |
|
840 |
- ocp_report|bool |
|
841 |
- cloud_provider == 'ec2' |
|
842 |
- name: Generate report |
|
843 |
template: |
|
844 |
src: "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/files/ocp_report.adoc.j2" |
|
845 |
dest: "{{ ANSIBLE_REPO_PATH }}/workdir/ocp_report_{{ env_type }}-{{ guid }}.adoc" |
|
846 |
when: |
|
847 |
- ocp_report|bool |
|
848 |
- cloud_provider == 'ec2' |