---
|
- name: Step 00xxxxx post software
|
hosts: bastions
|
become: no
|
gather_facts: False
|
environment:
|
KUBECONFIG: /home/{{ remote_user }}/{{ cluster_name }}/auth/kubeconfig
|
tasks:
|
- debug:
|
msg: "Post-Software Steps starting"
|
|
- name: Configure Bastion for CF integration
|
hosts: bastions
|
become: yes
|
gather_facts: False
|
tags:
|
- env-specific
|
- cf_integration
|
- opentlc_integration
|
tasks:
|
- when: install_opentlc_integration|bool
|
block:
|
- name: Include mgr_users vars
|
include_vars:
|
file: mgr_users.yml
|
|
- name: Configure Bastion
|
include_role:
|
name: opentlc-integration
|
vars:
|
no_log: yes
|
|
- name: Configure opentlc-mgr, root and {{ remote_user }} when OpenShift installed
|
when:
|
- install_ocp4 | d(False) | bool
|
block:
|
- name: Create .kube for opentlc-mgr user
|
file:
|
path: /home/opentlc-mgr/.kube
|
state: directory
|
owner: opentlc-mgr
|
group: opentlc-mgr
|
|
- name: Copy /home/{{ remote_user }}/{{ cluster_name }}/auth/kubeconfig to ~opentlc-mgr
|
copy:
|
src: /home/{{ remote_user }}/{{ cluster_name }}/auth/kubeconfig
|
dest: /home/opentlc-mgr/.kube/config
|
remote_src: yes
|
owner: opentlc-mgr
|
group: opentlc-mgr
|
mode: 0600
|
|
- name: Create OpenShift Bash completion file
|
shell: oc completion bash >/etc/bash_completion.d/openshift
|
|
- name: Configure bashrc to include KUBECONFIG
|
shell: "echo export KUBECONFIG=/home/{{ remote_user }}/{{ cluster_name }}/auth/kubeconfig >> /home/{{ remote_user }}/.bashrc"
|
|
- name: Set up Authentication
|
hosts: bastions
|
become: False
|
gather_facts: False
|
run_once: true
|
tags:
|
- env-specific
|
- setup-authentication
|
tasks:
|
- when:
|
- install_ocp4 | d(False) | bool
|
- install_idm is defined
|
environment:
|
KUBECONFIG: "{{ cluster_name }}/auth/kubeconfig"
|
block:
|
- name: Set up htpasswd
|
when:
|
- install_idm == "htpasswd"
|
block:
|
- name: Generate htpasswd hash for user_password
|
shell: >-
|
htpasswd -nb "userN" "{{ user_password }}"|cut -d: -f2
|
register: htpasswd_line
|
when:
|
- user_password is defined
|
- user_password_hash is not defined
|
|
- name: Set fact user_password_hash
|
set_fact:
|
user_password_hash: "{{ htpasswd_line.stdout }}"
|
when:
|
- user_password is defined
|
- user_password_hash is not defined
|
- htpasswd_line is succeeded
|
|
- name: Generate htpasswd hash for admin user
|
shell: >-
|
htpasswd -nb "admin" "{{ admin_password }}"|cut -d: -f2
|
register: htpasswd_line
|
when:
|
- admin_password_hash is not defined
|
- admin_password is defined
|
|
- name: Set fact admin_password_hash
|
set_fact:
|
admin_password_hash: "{{ htpasswd_line.stdout }}"
|
when:
|
- admin_password is defined
|
- admin_password_hash is not defined
|
- htpasswd_line is succeeded
|
- name: Set fact user_count
|
set_fact:
|
user_count: 200
|
when:
|
- user_count is not defined
|
|
- name: Generate htpasswd file
|
template:
|
src: "./files/htpasswd.j2"
|
dest: "/home/{{ ansible_user }}/users.htpasswd"
|
owner: "{{ ansible_user }}"
|
mode: 0664
|
- name: Upload OAuth Configuration File
|
copy:
|
src: "./files/oauth-htpasswd.yaml"
|
dest: "/home/{{ ansible_user }}/oauth-htpasswd.yaml"
|
owner: "{{ ansible_user }}"
|
mode: 0664
|
- name: Create htpasswd Secret
|
command: oc create secret generic htpasswd-secret -n openshift-config --from-file=htpasswd=$HOME/users.htpasswd
|
ignore_errors: true
|
- name: Update OAuth Configuration
|
shell: "oc apply -f /home/{{ ansible_user }}/oauth-htpasswd.yaml"
|
|
- name: Set up OpenTLC LDAP
|
when:
|
- install_idm == "ldap"
|
block:
|
- name: Check for LDAP Bind Password
|
fail:
|
msg: LDAP Authentication is configured but LDAP BindPassword (bindPassword) is not defined.
|
when: bindPassword is not defined
|
- name: Get IPA CA Cert
|
get_url:
|
url: "{{ idm_ca_url }}"
|
dest: "/home/{{ ansible_user }}/ipa-ca.crt"
|
mode: 0660
|
- name: Create IPA CA Cert ConfigMap
|
shell: "oc create configmap opentlc-ldap-ca-cert --from-file=ca.crt=/home/{{ ansible_user }}/ipa-ca.crt -n openshift-config"
|
ignore_errors: true
|
- name: Create LDAP Bind Password Secret
|
shell: "oc create secret generic opentlc-ldap-secret --from-literal=bindPassword=\"{{ bindPassword }}\" -n openshift-config"
|
ignore_errors: true
|
- name: Upload OAuth Configuration File
|
copy:
|
src: "./files/oauth-opentlc-ldap.yaml"
|
dest: "/home/{{ ansible_user }}/oauth-opentlc-ldap.yaml"
|
owner: "{{ ansible_user }}"
|
mode: 0664
|
- name: Update OAuth Configuration
|
shell: "oc apply -f /home/{{ ansible_user }}/oauth-opentlc-ldap.yaml"
|
- name: Set up Admin User
|
when:
|
- admin_user is defined
|
shell: "oc adm policy add-cluster-role-to-user cluster-admin {{ admin_user }}"
|
- name: Remove kubeadmin User
|
when:
|
- admin_user is defined
|
- install_idm is defined
|
command: oc delete secret kubeadmin -n kube-system
|
ignore_errors: true
|
|
- name: PostSoftware flight-check
|
hosts: bastions
|
run_once: yes
|
gather_facts: false
|
become: false
|
tags:
|
- post_flight_check
|
tasks:
|
- when:
|
- install_ocp4 | d(False) | bool
|
environment:
|
KUBECONFIG: "{{ cluster_name }}/auth/kubeconfig"
|
ignore_errors: yes
|
block:
|
- name: Check DNS webconsole
|
command: nslookup "{{ webconsole | urlsplit('hostname') }}"
|
register: checkdnswebconsole
|
changed_when: false
|
retries: 15
|
until: checkdnswebconsole is succeeded
|
delay: 30
|
|
- name: Check DNS API
|
command: nslookup "{{ showserver.stdout | trim | urlsplit('hostname') }}"
|
register: checkdnsapi
|
changed_when: false
|
|
- name: Webconsole
|
uri:
|
url: "{{ webconsole }}"
|
validate_certs: no
|
register: testwebconsole
|
retries: 5
|
until: testwebconsole is succeeded
|
delay: 60
|
|
- name: Cluster-info
|
command: oc cluster-info
|
register: clusterinfor
|
changed_when: false
|
|
- name: Create project
|
command: oc new-project postflightcheck
|
register: newproject
|
|
- name: New-app
|
command: oc new-app cakephp-mysql-persistent -n postflightcheck
|
register: newapp
|
|
- name: Wait for mysql
|
command: timeout 300 oc rollout status dc/mysql -w -n postflightcheck
|
register: mysqlw
|
changed_when: false
|
|
- name: Wait for php
|
command: timeout 300 oc rollout status dc/cakephp-mysql-persistent -w -n postflightcheck
|
register: phpw
|
changed_when: false
|
retries: 2
|
delay: 60
|
until: phpw is succeeded
|
|
- name: Get route
|
command: >-
|
oc get route
|
-l template=cakephp-mysql-persistent
|
--no-headers
|
-o json
|
-n postflightcheck
|
register: getroute
|
changed_when: false
|
retries: 10
|
delay: 5
|
until: getroute is succeeded
|
|
- name: Test that route is reachable
|
uri:
|
url: "http://{{ getroute.stdout|from_json|json_query('items[0].spec.host') }}"
|
register: testroute
|
retries: 15
|
delay: 5
|
until: testroute is succeeded
|
|
- name: Delete project
|
command: oc delete project postflightcheck
|
|
- debug:
|
msg: "{{ item }}"
|
loop:
|
- "user.info: "
|
- "user.info: Post Flight Check"
|
- "user.info: DNS Web Console ............... {{ 'OK' if checkdnswebconsole.rc == 0 else 'FAIL' }}"
|
- "user.info: DNS API ....................... {{ 'OK' if checkdnsapi.rc == 0 else 'FAIL' }}"
|
- "user.info: Web console ................... {{ 'OK' if testwebconsole is succeeded else 'FAIL' }}"
|
- "user.info: API ........................... {{ 'OK' if clusterinfor.rc == 0 else 'FAIL' }}"
|
- "user.info: Create Project with PV ........ {{ 'OK' if newproject.rc == 0 else 'FAIL' }}"
|
- "user.info: App deployed .................. {{ 'OK' if phpw.rc == 0 and mysqlw.rc == 0 else 'FAIL' }}"
|
- "user.info: Route ......................... {{ 'OK' if testroute is succeeded else 'FAIL' }}"
|
|
- when:
|
- smoke_tests | bool
|
- >-
|
checkdnswebconsole.rc != 0
|
or checkdnsapi.rc != 0
|
or testwebconsole is failed
|
or clusterinfor.rc != 0
|
or newproject.rc != 0
|
or phpw.rc != 0
|
or mysqlw.rc != 0
|
or testroute is failed
|
fail:
|
msg: "FAIL Smoke tests"
|
ignore_errors: no
|
|
- name: Deploy Default, Infra and Student Workloads
|
import_playbook: ocp_workloads.yml
|
|
- name: Tell CloudForms we are done
|
hosts: bastions
|
run_once: yes
|
gather_facts: false
|
become: false
|
tasks:
|
- debug:
|
msg: "Post-Software checks completed successfully"
|
