---
|
# Implement your Workload deployment tasks here
|
|
- name: Setting up workload for user
|
debug:
|
msg: "Setting up workload for user ocp_username = {{ ocp_username }}"
|
|
- include_role:
|
name: idm-server
|
vars:
|
become_override: yes
|
|
# /home/{{ ansible_user }}/.aws/credentials needs to exist before calling this role
|
- name: Create Let's Encrypt Certificates
|
include_role:
|
name: host-lets-encrypt-certs-certbot
|
vars:
|
- _certbot_domain: "{{ idm_dns_name }}"
|
- _certbot_wildcard_domain: "{{cluster_name}}{{subdomain_base_suffix}}"
|
- _certbot_dns_provider: "route53"
|
- _certbot_remote_dir: "/home/{{ ansible_user }}/idm"
|
- _certbot_remote_dir_owner: "{{ ansible_user }}"
|
- _certbot_install_dir: "/home/{{ ansible_user }}/idm/certificates"
|
- _certbot_install_dir_owner: "{{ ansible_user }}"
|
- _certbot_cache_archive_file: "{{ output_dir|d('/tmp') }}/{{ guid }}-idm-certs.tar.gz"
|
- _certbot_renew_automatically: True
|
- _certbot_use_cache: True
|
- _certbot_force_issue: True
|
- _certbot_production: True
|
- _certbot_cron_job_name: LETS_ENCRYPT_RENEW_IDM
|
|
- name: Get Root CA
|
copy:
|
src: ./files/DSTRootCAX3.pem
|
dest: /tmp/DSTRootCAX3.pem
|
|
- name: Get Intermediate CA
|
copy:
|
src: ./files/LEAuthX3.pem
|
dest: /tmp/LEAuthX3.pem
|
|
- name: Install CAs
|
shell: |
|
echo '{{ idm_admin_password }}' | kinit admin
|
ipa-cacert-manage -p '{{ idm_dm_password }}' install /tmp/DSTRootCAX3.pem -n DSTRootCAX3 -t C,,
|
ipa-cacert-manage -p '{{ idm_dm_password }}' install /tmp/LEAuthX3.pem -n LEAuthX3 -t C,,
|
ipa-certupdate -v
|
become: True
|
|
- name: Install IPA Certificate
|
shell: |
|
ipa-server-certinstall -w -d /home/{{ ansible_user }}/idm/certificates/privkey.pem /home/{{ ansible_user }}/idm/certificates/fullchain.pem -p '{{ idm_dm_password }}' --pin=''
|
ipactl restart
|
become: True
|
|
- name: Install redeploy hook scripts
|
template:
|
src: ./files/deploy_certs.sh
|
dest: "/home/{{ ansible_user }}/idm/certbot/config/renewal-hooks/deploy/deploy_certs.sh"
|
mode: 0775
|
owner: "{{ ansible_user }}"
|
- name: Install redeploy hook ansible components
|
copy:
|
src: "./files/{{ item }}"
|
dest: "/home/{{ ansible_user }}/idm/certbot/config/renewal-hooks/deploy/{{ item }}"
|
mode: 0664
|
owner: "{{ ansible_user }}"
|
loop:
|
- deploy_certs.yml
|
|
- name: Install AWS python prerequisites
|
become: True
|
pip:
|
state: present
|
name:
|
- boto
|
- botocore
|
- boto3
|
|
# Find public IP of bastion
|
- name: Gather VPC facts
|
ec2_vpc_net_facts:
|
filters:
|
tag:Name: "{{ aws_vpc_name }}"
|
region: "{{ aws_region_final | default(aws_region) }}"
|
register: vpc
|
|
- name: Get instance facts
|
ec2_instance_facts:
|
filters:
|
# FIXME - find a better way to discover the bastion name
|
"tag:Name": "{{ instances[0].name }}"
|
region: "{{ aws_region_final | default(aws_region) }}"
|
register: instancesr
|
failed_when: instancesr|length == 0
|
|
- name: Get non-terminated instance
|
set_fact:
|
ec2instance: "{{ item }}"
|
with_items:
|
- "{{ instancesr.instances }}"
|
when: not item.state.name == 'terminated'
|
failed_when: ec2instance is undefined
|
|
# Make external DNS of IdM available to OpenShift cluster
|
- name: Get cluster metadata
|
slurp:
|
path: "{{ cluster_name }}/metadata.json"
|
register: metadata
|
|
- name: Get cluster infrastructure ID
|
set_fact:
|
cluster_vpc_name: "{{ metadata.content | b64decode | from_json | json_query('infraID')}}-vpc"
|
|
- name: Gather Cluster VPC facts
|
ec2_vpc_net_facts:
|
filters:
|
tag:Name: "{{ cluster_vpc_name }}"
|
region: "{{ aws_region_final | default(aws_region) }}"
|
register: cluster_vpc
|
failed_when: cluster_vpc.vpcs | length == 0
|
|
- name: Create Private DNS Entry for IdM in cluster private zone
|
route53:
|
state: present
|
overwrite: yes
|
private_zone: yes
|
record: "{{ idm_dns_name }}"
|
type: A
|
ttl: 60
|
value: "{{ ec2instance.public_ip_address }}"
|
zone: "{{ cluster_name }}{{ subdomain_base_suffix }}."
|
vpc_id: "{{ cluster_vpc.vpcs[0].vpc_id }}"
|
|
- name: Configure Local Authentication
|
when:
|
- install_ocp4 | d(False) | bool
|
- install_idm is defined
|
environment:
|
KUBECONFIG: "{{ cluster_name }}/auth/kubeconfig"
|
block:
|
- name: Set up Local IdM LDAP
|
when:
|
- install_idm == "local-ldap"
|
block:
|
- name: Create admin user
|
when: admin_user is defined
|
ipa_user:
|
name: "{{ admin_user }}"
|
password: "{{ admin_password }}"
|
state: present
|
givenname: OpenShift
|
sn: Administrator
|
mail:
|
- "{{ email }}"
|
ipa_host: "{{ idm_dns_name }}"
|
ipa_user: admin
|
ipa_pass: "{{ idm_admin_password }}"
|
- name: Upload OAuth Configuration File
|
template:
|
src: "./files/oauth-ldap.yaml"
|
dest: "/home/{{ ansible_user }}/oauth-ldap.yaml"
|
owner: "{{ ansible_user }}"
|
mode: 0664
|
- name: Update OAuth Configuration
|
shell: "oc apply -f /home/{{ ansible_user }}/oauth-ldap.yaml"
|
- name: Remove kubeadmin User
|
when:
|
- admin_user is defined
|
- auth_remove_kubeadmin
|
command: oc delete secret kubeadmin -n kube-system
|
ignore_errors: true
|
|
# Leave this as the last task in the playbook.
|
- name: workload tasks complete
|
debug:
|
msg: "Workload Tasks completed successfully."
|
when: not silent|bool
|