---
|
- name: Step 00xxxxx post software
|
hosts: support
|
gather_facts: False
|
become: yes
|
vars_files:
|
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml"
|
tasks:
|
- name: Create user vols
|
shell: "mkdir -p /srv/nfs/user-vols/vol{1..{{user_vols}}}"
|
- name: chmod the user vols
|
shell: "chmod -R 777 /srv/nfs/user-vols"
|
|
- name: Step 00xxxxx post software
|
hosts: bastions
|
run_once: true
|
gather_facts: False
|
become: yes
|
vars_files:
|
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml"
|
roles:
|
- role: "{{ ANSIBLE_REPO_PATH }}/roles/openshift-ansible-broker"
|
tasks:
|
- name: get nfs Hostname
|
set_fact:
|
nfs_host: "{{ groups['support']|sort|first }}"
|
|
- set_fact:
|
pv_size: '10Gi'
|
pv_list: "{{ ocp_pvs }}"
|
persistentVolumeReclaimPolicy: Retain
|
|
- name: Generate PV file
|
template:
|
src: "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/files/pvs.j2"
|
dest: "/root/pvs-{{ env_type }}-{{ guid }}.yml"
|
tags: [ gen_pv_file ]
|
when: pv_list.0 is defined
|
|
- set_fact:
|
pv_size: "{{user_vols_size}}"
|
persistentVolumeReclaimPolicy: Recycle
|
|
notify: restart nfs services
|
run_once: True
|
|
- name: Generate user vol PV file
|
template:
|
src: "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/files/userpvs.j2"
|
dest: "/root/userpvs-{{ env_type }}-{{ guid }}.yml"
|
tags:
|
- gen_user_vol_pv
|
|
- shell: 'oc create -f /root/pvs-{{ env_type }}-{{ guid }}.yml || oc replace -f /root/pvs-{{ env_type }}-{{ guid }}.yml'
|
tags:
|
- create_user_pv
|
when: pv_list.0 is defined
|
|
- shell: 'oc create -f /root/userpvs-{{ env_type }}-{{ guid }}.yml || oc replace -f /root/userpvs-{{ env_type }}-{{ guid }}.yml'
|
tags:
|
- create_user_pv
|
|
- name: For CNS change default storage class to glusterfs-storage
|
hosts: masters
|
run_once: true
|
become: yes
|
gather_facts: False
|
vars_files:
|
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml"
|
tags:
|
- env-specific
|
- env-specific_infra
|
- storage-class
|
tasks:
|
- when:
|
- osrelease is version_compare('3.9.27', '>=')
|
- install_glusterfs|bool
|
block:
|
- name: Set glusterfs-storage class to default
|
command: >
|
oc patch storageclass glusterfs-storage
|
-p '{"metadata": {"annotations": {"storageclass.kubernetes.io/is-default-class": "true"}}}'
|
register: changesc_r
|
failed_when:
|
- changesc_r.stdout.find('storageclass "glusterfs-storage" not patched') == -1
|
- changesc_r.rc != 0
|
changed_when: changesc_r.stdout.find('storageclass "glusterfs-storage" patched') != -1
|
|
- name: Remove default from glusterfs-storage-block class
|
register: changesc_r
|
changed_when: changesc_r.stdout.find('storageclass "glusterfs-storage-block" patched') != -1
|
failed_when:
|
- changesc_r.stdout.find('storageclass "glusterfs-storage-block" not patched') == -1
|
- changesc_r.rc != 0
|
command: >
|
oc patch storageclass glusterfs-storage-block
|
-p '{"metadata": {"annotations": {"storageclass.kubernetes.io/is-default-class": "false"}}}'
|
|
- name: Configure Bastion for CF integration
|
hosts: bastions
|
become: yes
|
gather_facts: False
|
vars_files:
|
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/mgr_users.yml"
|
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml"
|
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml"
|
tags:
|
- env-specific
|
- cf_integration
|
- opentlc_integration
|
roles:
|
- role: "{{ ANSIBLE_REPO_PATH }}/roles/opentlc-integration"
|
when: install_opentlc_integration
|
no_log: yes
|
tasks:
|
- name: Copy /root/.kube to ~opentlc-mgr/
|
command: "cp -rf /root/.kube /home/opentlc-mgr/"
|
when: install_opentlc_integration == true
|
|
- name: set permission for .kube
|
when: install_opentlc_integration == true
|
file:
|
path: /home/opentlc-mgr/.kube
|
owner: opentlc-mgr
|
group: opentlc-mgr
|
recurse: yes
|
|
# sssd bug, fixed by restart
|
- name: restart sssd
|
service:
|
name: sssd
|
state: restarted
|
when: install_ipa_client
|
register: sssd_restart_result
|
retries: 6
|
delay: 10
|
until: sssd_restart_result is succeeded
|
|
- name: env-specific infrastructure
|
hosts: masters
|
run_once: true
|
become: yes
|
gather_facts: False
|
vars_files:
|
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml"
|
tags:
|
- env-specific
|
- env-specific_infra
|
tasks:
|
- name: Command to enable the wildcard routes in the OCP cluster for 3scale
|
shell: "oc set env dc/router ROUTER_ALLOW_WILDCARD_ROUTES=true -n default"
|
|
- name: Give administrative user cluster-admin privileges
|
command: "oc adm policy add-cluster-role-to-user cluster-admin {{ admin_user }}"
|
|
- name: Check for admin_project project
|
command: "oc get project {{admin_project}}"
|
register: result
|
changed_when: false
|
ignore_errors: true
|
|
- name: Create admin_project project
|
command: "oc adm new-project {{admin_project}} --admin {{admin_user}} --node-selector='env=infra'"
|
when: result | failed
|
|
- name: Make admin_project project network global
|
command: "oc adm pod-network make-projects-global {{admin_project}}"
|
when: 'ovs_plugin == "multitenant"'
|
|
- name: Set admin_project SCC for anyuid
|
command: "oc adm policy add-scc-to-group anyuid system:serviceaccounts:{{admin_project}}"
|
|
- name: Add capabilities within anyuid which is not really ideal
|
command: "oc patch scc/anyuid --patch '{\"requiredDropCapabilities\":[\"MKNOD\",\"SYS_CHROOT\"]}'"
|
ignore_errors: true
|
|
- name: Set Node Selector to empty for project openshift-template-service-broker
|
shell: oc annotate namespace openshift-template-service-broker openshift.io/node-selector="" --overwrite
|
ignore_errors: true
|
when:
|
- osrelease | version_compare('3.7', '>=')
|
|
- name: Remove all users from self-provisioners group
|
hosts: masters
|
run_once: true
|
become: yes
|
gather_facts: False
|
vars_files:
|
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml"
|
tags: [ env-specific, remove_self_provisioners ]
|
tasks:
|
- name: Set clusterRoleBinding auto-update to false
|
command: oc annotate -n default --overwrite clusterrolebinding.rbac self-provisioners rbac.authorization.kubernetes.io/autoupdate=false
|
when: remove_self_provisioners
|
|
- name: Remove system:authenticated from self-provisioner role
|
shell: "oadm policy remove-cluster-role-from-group self-provisioner system:authenticated system:authenticated:oauth"
|
ignore_errors: true
|
when: remove_self_provisioners
|
|
- name: create our own OPENTLC-PROJECT-PROVISIONERS
|
shell: "oadm groups new OPENTLC-PROJECT-PROVISIONERS"
|
ignore_errors: true
|
when: remove_self_provisioners
|
|
- name: allow OPENTLC-PROJECT-PROVISIONERS members to provision their own projects
|
shell: "oadm policy add-cluster-role-to-group self-provisioner OPENTLC-PROJECT-PROVISIONERS"
|
when: remove_self_provisioners
|
|
- name: Project Request Template
|
hosts: masters
|
gather_facts: False
|
become: yes
|
vars_files:
|
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml"
|
tags:
|
- env-specific
|
- project_request
|
tasks:
|
- name: Copy project request template to master
|
copy:
|
src: ./files/project-template.yml
|
dest: /root/project-template.yml
|
|
- name: Check for project request template
|
command: "oc get template project-request -n default"
|
register: request_template
|
ignore_errors: true
|
|
- name: Create project request template in default project
|
shell: "oc create -f /root/project-template.yml -n default || oc replace -f /root/project-template.yml -n default"
|
when: request_template | failed
|
|
- name: Update master config file to use project request template
|
lineinfile:
|
regexp: " projectRequestTemplate"
|
dest: "/etc/origin/master/master-config.yaml"
|
line: ' projectRequestTemplate: "default/project-request"'
|
state: present
|
register: master_config
|
|
- name: Add Project request message
|
replace:
|
dest: '/etc/origin/master/master-config.yaml'
|
regexp: 'projectRequestMessage.*'
|
replace: "projectRequestMessage: '{{project_request_message}}'"
|
backup: yes
|
|
- name: Restart master service
|
service:
|
name: atomic-openshift-master-api
|
state: restarted
|
when:
|
- master_config.changed
|
- osrelease | version_compare('3.7', '>=')
|
|
- name: Restart master service
|
service:
|
name: atomic-openshift-master
|
state: restarted
|
when:
|
- master_config.changed
|
- osrelease | version_compare('3.7', '<')
|
|
- name: node admin configs
|
hosts: nodes
|
gather_facts: False
|
become: yes
|
vars_files:
|
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml"
|
tags:
|
- env-specific
|
- env_specific_images
|
tasks:
|
- name: 'Pull image'
|
command: "docker pull {{ item }}"
|
with_items: '{{ env_specific_images }}'
|
when: env_specific_images.0 is defined
|
|
- name: Import jenkins images for OCP 3.7 and newer
|
hosts: masters
|
run_once: true
|
become: yes
|
gather_facts: False
|
vars_files:
|
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml"
|
tags:
|
- env-specific
|
- env_specific_images
|
tasks:
|
- name: tag jenkins
|
command: oc tag --source=docker registry.access.redhat.com/openshift3/jenkins-2-rhel7:v{{ repo_version }} openshift/jenkins:v{{ repo_version }} -n openshift
|
when: osrelease | version_compare('3.7', '>=')
|
ignore_errors: true
|
|
- name: tag jenkins
|
command: oc tag openshift/jenkins:v{{ repo_version }} openshift/jenkins:latest -n openshift
|
register: octag_result
|
when: osrelease | version_compare('3.7', '>=')
|
retries: 5
|
delay: 2
|
until: octag_result|succeeded
|
ignore_errors: true
|
|
- name: Fix NFS PV Recycling for OCP 3.7 and newer
|
gather_facts: False
|
become: yes
|
hosts:
|
- nodes
|
- infranodes
|
- masters
|
tasks:
|
- name: Pull ose-recycler Image
|
command: docker pull registry.access.redhat.com/openshift3/ose-recycler:latest
|
register: pullr
|
retries: 5
|
delay: 10
|
until: pullr|succeeded
|
when: osrelease | version_compare('3.7', '>=')
|
|
- name: Tag ose-recycler Image
|
command: "docker tag registry.access.redhat.com/openshift3/ose-recycler:latest registry.access.redhat.com/openshift3/ose-recycler:v{{ osrelease }}"
|
when: osrelease | version_compare('3.7', '>=')
|
|
- name: Fix CRI-O Garbage Collection DaemonSet for OCP 3.9 and newer
|
gather_facts: False
|
become: yes
|
hosts: masters
|
run_once: true
|
vars_files:
|
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml"
|
tasks:
|
- name: Patch dockergc DaemonSet
|
shell: "oc patch daemonset dockergc --patch='\"spec\": { \"template\": { \"spec\": { \"containers\": [ { \"command\": [ \"/usr/bin/oc\" ], \"name\": \"dockergc\" } ] } } }' -n default"
|
ignore_errors: true
|
when:
|
- osrelease | version_compare('3.9.0', '>=')
|
- osrelease | version_compare('3.9.25', '<=')
|
- container_runtime == "cri-o"
|
- name: Redeploy dockergc DaemonSet pods
|
shell: "oc delete pod $(oc get pods -n default|grep dockergc|awk -c '{print $1}') -n default"
|
when:
|
- osrelease | version_compare('3.9.0', '>=')
|
- osrelease | version_compare('3.9.25', '<=')
|
- container_runtime == "cri-o"
|
|
# Install OpenWhisk
|
- name: Install OpenWhisk
|
hosts: masters
|
run_once: true
|
gather_facts: False
|
become: yes
|
vars_files:
|
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml"
|
tags:
|
- env-specific
|
- install_openwhisk
|
tasks:
|
- import_role:
|
name: "{{ ANSIBLE_REPO_PATH }}/roles/install-openwhisk"
|
when:
|
- install_openwhisk|bool
|
|
# Set up Prometheus/Node Exporter/Alertmanager/Grafana
|
# on the OpenShift Cluster
|
- name: Install Prometheus and Grafana
|
gather_facts: False
|
become: yes
|
hosts:
|
- nodes
|
- infranodes
|
- masters
|
- bastions
|
vars_files:
|
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml"
|
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml"
|
tags:
|
- install_prometheus
|
tasks:
|
- import_role:
|
name: "{{ ANSIBLE_REPO_PATH }}/roles/install-prometheus"
|
when: install_prometheus|bool
|
|
- name: Install Nexus
|
hosts: masters
|
run_once: true
|
gather_facts: False
|
become: yes
|
vars_files:
|
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml"
|
roles:
|
- { role: "{{ ANSIBLE_REPO_PATH }}/roles/install-nexus", desired_project: "{{admin_project}}", nexus_version: "3" }
|
tags:
|
- env-specific
|
- install_nexus
|
|
- name: Install AWS Broker
|
hosts: masters
|
run_once: true
|
gather_facts: False
|
become: yes
|
vars_files:
|
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml"
|
tags:
|
- env-specific
|
- install_aws_broker
|
tasks:
|
- import_role:
|
name: "{{ ANSIBLE_REPO_PATH }}/roles/install-aws-broker"
|
when:
|
- install_aws_broker|bool
|
|
- name: Zabbix for masters
|
hosts: masters
|
gather_facts: true
|
become: yes
|
vars_files:
|
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml"
|
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml"
|
vars:
|
zabbix_auto_registration_keyword: OCP Master
|
roles:
|
- role: "{{ ANSIBLE_REPO_PATH }}/roles/zabbix-client"
|
when: install_zabbix
|
- role: "{{ ANSIBLE_REPO_PATH }}/roles/zabbix-client-openshift-master"
|
when: install_zabbix
|
- role: "{{ ANSIBLE_REPO_PATH }}/roles/zabbix-client-openshift-node"
|
when: install_zabbix
|
tags:
|
- env-specific
|
- install_zabbix
|
|
- name: Zabbix for nodes
|
hosts:
|
- nodes
|
- infranodes
|
gather_facts: true
|
become: yes
|
vars_files:
|
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml"
|
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml"
|
vars:
|
zabbix_auto_registration_keyword: OCP Node
|
zabbix_token: "{{ hostvars[groups['masters'][0]].zabbix_token }}"
|
hawkular_route: "{{ hostvars[groups['masters'][0]].hawkular_route }}"
|
roles:
|
- role: "{{ ANSIBLE_REPO_PATH }}/roles/zabbix-client"
|
when: install_zabbix
|
- role: "{{ ANSIBLE_REPO_PATH }}/roles/zabbix-client-openshift-node"
|
when: install_zabbix
|
tags:
|
- env-specific
|
- install_zabbix
|
|
- name: Zabbix for all other hosts (bastion, support, ...)
|
hosts:
|
- bastions
|
- support
|
gather_facts: true
|
become: yes
|
vars_files:
|
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml"
|
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml"
|
vars:
|
zabbix_auto_registration_keyword: OCP Host
|
roles:
|
- role: "{{ ANSIBLE_REPO_PATH }}/roles/zabbix-client"
|
when: install_zabbix
|
tags:
|
- env-specific
|
- install_zabbix
|
|
- name: PostSoftware flight-check
|
hosts: localhost
|
connection: local
|
gather_facts: false
|
become: false
|
vars_files:
|
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml"
|
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml"
|
tags:
|
- post_flight_check
|
tasks:
|
- debug:
|
msg: "Post-Software checks completed successfully"
|
|
- name: Gather facts
|
hosts:
|
- all
|
vars_files:
|
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml"
|
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml"
|
gather_facts: true
|
tags:
|
- ocp_report
|
|
- name: Generate reports
|
hosts: localhost
|
connection: local
|
become: false
|
|
vars_files:
|
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml"
|
- "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml"
|
tags:
|
- ocp_report
|
vars:
|
env_all_hosts: all
|
tasks:
|
- name: get repo version used to deploy
|
command: git rev-parse HEAD
|
args:
|
chdir: "{{ ANSIBLE_REPO_PATH }}"
|
register: ansible_agnostic_deployer_head
|
|
- name: Gather ec2 facts
|
ec2_remote_facts:
|
aws_access_key: "{{ aws_access_key_id }}"
|
aws_secret_key: "{{ aws_secret_access_key }}"
|
region: "{{ aws_region }}"
|
when:
|
- ocp_report
|
- cloud_provider == 'ec2'
|
- name: Generate report
|
template:
|
src: "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/files/ocp_report.adoc.j2"
|
dest: "{{ ANSIBLE_REPO_PATH }}/workdir/ocp_report_{{ env_type }}-{{ guid }}.adoc"
|
when:
|
- ocp_report
|
- cloud_provider == 'ec2'
|