---
|
- name: Step 00xxxxx post software
|
hosts: bastions
|
become: no
|
gather_facts: False
|
environment:
|
KUBECONFIG: /home/{{ remote_user }}/{{ cluster_name }}/auth/kubeconfig
|
tasks:
|
- debug:
|
msg: "Post-Software Steps starting"
|
|
- name: Configure Bastion for CF integration
|
hosts: bastions
|
become: yes
|
gather_facts: False
|
tags:
|
- env-specific
|
- cf_integration
|
- opentlc_integration
|
tasks:
|
- when: install_opentlc_integration|bool
|
block:
|
- name: Include mgr_users vars
|
include_vars:
|
file: mgr_users.yml
|
|
- name: Configure Bastion
|
include_role:
|
name: opentlc-integration
|
vars:
|
no_log: yes
|
|
- name: Configure opentlc-mgr, root and {{ remote_user }} when OpenShift installed
|
when:
|
- install_ocp4 | d(False) | bool
|
block:
|
- name: Create .kube for opentlc-mgr user
|
file:
|
path: /home/opentlc-mgr/.kube
|
state: directory
|
owner: opentlc-mgr
|
group: opentlc-mgr
|
|
- name: Copy /home/{{ remote_user }}/{{ cluster_name }}/auth/kubeconfig to ~opentlc-mgr
|
copy:
|
src: /home/{{ remote_user }}/{{ cluster_name }}/auth/kubeconfig
|
dest: /home/opentlc-mgr/.kube/config
|
remote_src: yes
|
owner: opentlc-mgr
|
group: opentlc-mgr
|
mode: 0600
|
|
- name: Set up Student User
|
when: install_student_user | bool
|
block:
|
- name: Create .kube for {{ student_name }} user
|
file:
|
path: /home/{{ student_name }}/.kube
|
state: directory
|
owner: "{{ student_name }}"
|
|
- name: Copy /home/{{ remote_user }}/{{ cluster_name }}/auth/kubeconfig to ~{{ student_name }}
|
copy:
|
src: /home/{{ remote_user }}/{{ cluster_name }}/auth/kubeconfig
|
dest: /home/{{ student_name }}/.kube/config
|
remote_src: yes
|
owner: "{{ student_name }}"
|
mode: 0600
|
|
- name: Setup mount bind for cluster directory
|
become: yes
|
mount:
|
path: /home/{{ student_name }}/{{ cluster_name }}
|
src: /home/{{ remote_user }}/{{ cluster_name }}
|
fstype: none
|
opts: defaults,bind,ro
|
state: mounted
|
|
- name: Create OpenShift Bash completion file
|
shell: oc completion bash >/etc/bash_completion.d/openshift
|
|
- name: Configure bashrc to include KUBECONFIG
|
shell: "echo export KUBECONFIG=/home/{{ remote_user }}/{{ cluster_name }}/auth/kubeconfig >> /home/{{ remote_user }}/.bashrc"
|
|
- name: Set up Authentication
|
hosts: bastions
|
become: False
|
gather_facts: False
|
run_once: true
|
tags:
|
- env-specific
|
- setup-authentication
|
tasks:
|
- when:
|
- install_ocp4 | d(False) | bool
|
- install_idm is defined
|
environment:
|
KUBECONFIG: "{{ cluster_name }}/auth/kubeconfig"
|
block:
|
- name: Set up htpasswd
|
when:
|
- install_idm == "htpasswd"
|
block:
|
- name: Generate htpasswd hash for user_password
|
shell: >-
|
htpasswd -nb "userN" "{{ user_password }}"|cut -d: -f2
|
register: htpasswd_line
|
when:
|
- user_password is defined
|
- user_password_hash is not defined
|
|
- name: Set fact user_password_hash
|
set_fact:
|
user_password_hash: "{{ htpasswd_line.stdout }}"
|
when:
|
- user_password is defined
|
- user_password_hash is not defined
|
- htpasswd_line is succeeded
|
|
- name: Generate htpasswd hash for admin user
|
shell: >-
|
htpasswd -nb "admin" "{{ admin_password }}"|cut -d: -f2
|
register: htpasswd_line
|
when:
|
- admin_password_hash is not defined
|
- admin_password is defined
|
|
- name: Set fact admin_password_hash
|
set_fact:
|
admin_password_hash: "{{ htpasswd_line.stdout }}"
|
when:
|
- admin_password is defined
|
- admin_password_hash is not defined
|
- htpasswd_line is succeeded
|
- name: Set fact user_count
|
set_fact:
|
user_count: 200
|
when:
|
- user_count is not defined
|
|
- name: Generate htpasswd file
|
template:
|
src: "./files/htpasswd.j2"
|
dest: "/home/{{ ansible_user }}/users.htpasswd"
|
owner: "{{ ansible_user }}"
|
mode: 0664
|
- name: Upload OAuth Configuration File
|
copy:
|
src: "./files/oauth-htpasswd.yaml"
|
dest: "/home/{{ ansible_user }}/oauth-htpasswd.yaml"
|
owner: "{{ ansible_user }}"
|
mode: 0664
|
- name: Create htpasswd Secret
|
command: oc create secret generic htpasswd-secret -n openshift-config --from-file=htpasswd=$HOME/users.htpasswd
|
ignore_errors: true
|
- name: Update OAuth Configuration
|
shell: "oc apply -f /home/{{ ansible_user }}/oauth-htpasswd.yaml"
|
|
- name: Set up OpenTLC LDAP
|
when:
|
- install_idm == "ldap"
|
block:
|
- name: Check for LDAP Bind Password
|
fail:
|
msg: LDAP Authentication is configured but LDAP BindPassword (bindPassword) is not defined.
|
when: bindPassword is not defined
|
- name: Get IPA CA Cert
|
get_url:
|
url: "{{ idm_ca_url }}"
|
dest: "/home/{{ ansible_user }}/ipa-ca.crt"
|
mode: 0660
|
- name: Create IPA CA Cert ConfigMap
|
shell: "oc create configmap opentlc-ldap-ca-cert --from-file=ca.crt=/home/{{ ansible_user }}/ipa-ca.crt -n openshift-config"
|
ignore_errors: true
|
- name: Create LDAP Bind Password Secret
|
shell: "oc create secret generic opentlc-ldap-secret --from-literal=bindPassword=\"{{ bindPassword }}\" -n openshift-config"
|
ignore_errors: true
|
- name: Upload OAuth Configuration File
|
copy:
|
src: "./files/oauth-opentlc-ldap.yaml"
|
dest: "/home/{{ ansible_user }}/oauth-opentlc-ldap.yaml"
|
owner: "{{ ansible_user }}"
|
mode: 0664
|
- name: Update OAuth Configuration
|
shell: "oc apply -f /home/{{ ansible_user }}/oauth-opentlc-ldap.yaml"
|
|
- name: Set up Admin User
|
when: admin_user is defined
|
shell: "oc adm policy add-cluster-role-to-user cluster-admin {{ admin_user }}"
|
# try for 5 minutes
|
retries: 30
|
delay: 10
|
register: r_setup_admin_user
|
until: r_setup_admin_user is succeeded
|
|
- name: Remove kubeadmin User
|
when:
|
- admin_user is defined
|
- install_idm != "none"
|
- auth_remove_kubeadmin
|
command: oc delete secret kubeadmin -n kube-system
|
ignore_errors: true
|
|
- name: PostSoftware flight-check
|
hosts: bastions
|
run_once: yes
|
gather_facts: false
|
become: false
|
tags:
|
- post_flight_check
|
tasks:
|
- when:
|
- install_ocp4 | d(False) | bool
|
environment:
|
KUBECONFIG: "{{ cluster_name }}/auth/kubeconfig"
|
ignore_errors: yes
|
block:
|
- name: Get API for command line
|
command: oc whoami --show-server
|
register: showserver
|
|
- when: webconsole is not defined
|
block:
|
- name: Get console route
|
command: oc get route -n openshift-console console -o json
|
register: routeconsole
|
retries: 10
|
delay: 30
|
until: routeconsole is succeeded
|
ignore_errors: yes
|
|
- name: Set webconsole address
|
set_fact:
|
webconsole: "http://{{ routeconsole.stdout | from_json | json_query('spec.host') }}"
|
when: routeconsole is succeeded
|
|
- name: Check DNS webconsole
|
command: nslookup "{{ webconsole | urlsplit('hostname') }}"
|
register: checkdnswebconsole
|
changed_when: false
|
retries: 15
|
until: checkdnswebconsole is succeeded
|
delay: 30
|
|
- name: Check DNS API
|
command: nslookup "{{ showserver.stdout | trim | urlsplit('hostname') }}"
|
register: checkdnsapi
|
changed_when: false
|
|
- name: Webconsole
|
uri:
|
url: "{{ webconsole }}"
|
validate_certs: no
|
register: testwebconsole
|
retries: 5
|
until: testwebconsole is succeeded
|
delay: 60
|
|
- name: Cluster-info
|
command: oc cluster-info
|
register: clusterinfor
|
changed_when: false
|
|
- name: Create project
|
command: oc new-project postflightcheck
|
register: newproject
|
|
- name: New-app
|
command: oc new-app cakephp-mysql-persistent -n postflightcheck
|
register: newapp
|
|
- name: Wait for mysql
|
command: timeout 300 oc rollout status dc/mysql -w -n postflightcheck
|
register: mysqlw
|
changed_when: false
|
|
- name: Wait for php
|
command: timeout 300 oc rollout status dc/cakephp-mysql-persistent -w -n postflightcheck
|
register: phpw
|
changed_when: false
|
retries: 2
|
delay: 60
|
until: phpw is succeeded
|
|
- name: Get route
|
command: >-
|
oc get route
|
-l template=cakephp-mysql-persistent
|
--no-headers
|
-o json
|
-n postflightcheck
|
register: getroute
|
changed_when: false
|
retries: 10
|
delay: 5
|
until: getroute is succeeded
|
|
- name: Test that route is reachable
|
uri:
|
url: "http://{{ getroute.stdout|from_json|json_query('items[0].spec.host') }}"
|
register: testroute
|
retries: 15
|
delay: 5
|
until: testroute is succeeded
|
|
- name: Delete project
|
command: oc delete project postflightcheck
|
|
- name: Switch back to default project
|
command: oc project default
|
|
- agnosticd_user_info:
|
msg: "{{ item }}"
|
loop:
|
- ""
|
- "Post Flight Check"
|
- "DNS Web Console ............... {{ 'OK' if checkdnswebconsole.rc == 0 else 'FAIL' }}"
|
- "DNS API ....................... {{ 'OK' if checkdnsapi.rc == 0 else 'FAIL' }}"
|
- "Web console ................... {{ 'OK' if testwebconsole is succeeded else 'FAIL' }}"
|
- "API ........................... {{ 'OK' if clusterinfor.rc == 0 else 'FAIL' }}"
|
- "Create Project with PV ........ {{ 'OK' if newproject.rc == 0 else 'FAIL' }}"
|
- "App deployed .................. {{ 'OK' if phpw.rc == 0 and mysqlw.rc == 0 else 'FAIL' }}"
|
- "Route ......................... {{ 'OK' if testroute is succeeded else 'FAIL' }}"
|
|
- when:
|
- smoke_tests | bool
|
- >-
|
checkdnswebconsole.rc != 0
|
or checkdnsapi.rc != 0
|
or testwebconsole is failed
|
or clusterinfor.rc != 0
|
or newproject.rc != 0
|
or phpw.rc != 0
|
or mysqlw.rc != 0
|
or testroute is failed
|
fail:
|
msg: "FAIL Smoke tests"
|
ignore_errors: no
|
|
- name: Deploy Default, Infra and Student Workloads
|
import_playbook: ocp_workloads.yml
|
|
- name: Enable Cluster Shutdown and Resume
|
hosts: bastions
|
run_once: yes
|
gather_facts: false
|
become: false
|
tasks:
|
- when:
|
- install_ocp4 | d(False) | bool
|
- ocp4_enable_cluster_shutdown | d(True) | bool
|
environment:
|
KUBECONFIG: "{{ cluster_name }}/auth/kubeconfig"
|
ignore_errors: yes
|
block:
|
- name: Create Daemon Set to renew Bootstrap Credentials
|
k8s:
|
state: present
|
merge_type:
|
- strategic-merge
|
- merge
|
definition: "{{ lookup('file', './files/kubelet-bootstrap-cred-manager-ds.yaml' ) | from_yaml }}"
|
- name: Delete initial Bootstrap Secrets to force regeneration
|
k8s:
|
state: absent
|
api_version: v1
|
kind: Secret
|
name: "{{ item }}"
|
namespace: openshift-kube-controller-manager-operator
|
loop:
|
- "csr-signer-signer"
|
- "csr-signer"
|
# The next tasks are to fix the bug fixed in https://github.com/openshift/cluster-kube-controller-manager-operator/pull/305
|
# Also the operator dealing with prometheus adapters doesn't watch the certificates.
|
# Need to force it to reconcile
|
- name: Wait 15 seconds before next command
|
pause:
|
seconds: 15
|
- name: Get Config Map Definition
|
shell: oc get configmap extension-apiserver-authentication -n kube-system -o yaml >/tmp/extension-apiserver-authentication.yaml
|
- name: Add an empty line to config map file
|
lineinfile:
|
path: /tmp/extension-apiserver-authentication.yaml
|
firstmatch: true
|
insertafter: '-----END CERTIFICATE-----'
|
line: ''
|
- name: Update Config Map with new file
|
k8s:
|
state: present
|
src: /tmp/extension-apiserver-authentication.yaml
|
- name: Tell CloudForms we are done
|
hosts: bastions
|
run_once: yes
|
gather_facts: false
|
become: false
|
tasks:
|
- debug:
|
msg: "Post-Software checks completed successfully"
|