| | |
|---|
| | | |
|---|
| | | - import_playbook: ../../setup_runtime.yml |
|---|
| | | |
|---|
| | | - name: Build inventory |
|---|
| | | hosts: localhost |
|---|
| | | connection: local |
|---|
| | | gather_facts: false |
|---|
| | | become: false |
|---|
| | | tasks: |
|---|
| | | - when: cloud_provider == 'ec2' |
|---|
| | | block: |
|---|
| | | - name: Run infra-ec2-create-inventory Role |
|---|
| | | include_role: |
|---|
| | | name: infra-ec2-create-inventory |
|---|
| | | |
|---|
| | | - name: Run Common SSH Config Generator Role |
|---|
| | | include_role: |
|---|
| | | name: infra-common-ssh-config-generate |
|---|
| | | when: "'bastions' in groups" |
|---|
| | | |
|---|
| | | - name: Set ansible_ssh_extra_args |
|---|
| | | hosts: |
|---|
| | | - all:!windows:!network |
|---|
| | | gather_facts: false |
|---|
| | | any_errors_fatal: true |
|---|
| | | ignore_errors: false |
|---|
| | | tasks: |
|---|
| | | - name: Set facts for remote access |
|---|
| | | set_fact: |
|---|
| | | ansible_ssh_extra_args: >- |
|---|
| | | {{ ansible_ssh_extra_args|d() }} |
|---|
| | | -F {{hostvars.localhost.output_dir}}/{{ env_type }}_{{ guid }}_ssh_conf |
|---|
| | | |
|---|
| | | - name: Run stop/start/status/... actions |
|---|
| | | hosts: localhost |
|---|
| | | connection: local |
|---|
| | |
|---|
| | | msg: "ACTION is not defined" |
|---|
| | | |
|---|
| | | - name: Start / Stop VMs on AWS |
|---|
| | | when: cloud_provider == 'ec2' |
|---|
| | | when: |
|---|
| | | - cloud_provider == 'ec2' |
|---|
| | | - guid is defined |
|---|
| | | - guid != '' |
|---|
| | | - guid != '*' |
|---|
| | | environment: |
|---|
| | | AWS_ACCESS_KEY_ID: "{{aws_access_key_id}}" |
|---|
| | | AWS_SECRET_ACCESS_KEY: "{{aws_secret_access_key}}" |
|---|
| | |
|---|
| | | when: ACTION == 'stop' |
|---|
| | | ec2_instance: |
|---|
| | | state: stopped |
|---|
| | | wait: no |
|---|
| | | wait: "{{ aws_instance_wait_for_stop | default(false) }}" |
|---|
| | | filters: |
|---|
| | | "tag:guid": "{{ guid }}" |
|---|
| | | "tag:env_type": "{{ env_type }}" |
|---|
| | | instance-state-name: running |
|---|
| | | |
|---|
| | | - name: Start instances by (guid, env_type) tags |
|---|
| | | when: ACTION == 'start' |
|---|
| | | ec2_instance: |
|---|
| | | state: started |
|---|
| | | wait: yes |
|---|
| | | wait: true |
|---|
| | | filters: |
|---|
| | | "tag:guid": "{{ guid }}" |
|---|
| | | "tag:env_type": "{{ env_type }}" |
|---|
| | | instance-state-name: stopped |
|---|
| | | - when: ACTION == 'status' |
|---|
| | | block: |
|---|
| | | - name: Get EC2 facts using (guid, env_type) tag |
|---|
| | | ec2_instance_facts: |
|---|
| | | filters: |
|---|
| | | "tag:guid": "{{ guid }}" |
|---|
| | | "tag:env_type": "{{ env_type }}" |
|---|
| | | register: r_instances |
|---|
| | | |
|---|
| | | - name: Print status information to a file |
|---|
| | | template: |
|---|
| | | dest: "{{ output_dir }}/status.txt" |
|---|
| | | src: files/status.j2 |
|---|
| | | |
|---|
| | | - name: Run recover cluster actions |
|---|
| | | hosts: bastions |
|---|
| | | run_once: True |
|---|
| | | gather_facts: False |
|---|
| | | become: no |
|---|
| | | run_once: true |
|---|
| | | become: false |
|---|
| | | gather_facts: false |
|---|
| | | tasks: |
|---|
| | | - name: Set Ansible Python interpreter to k8s virtualenv |
|---|
| | | set_fact: |
|---|
| | | ansible_python_interpreter: /opt/virtualenvs/k8s/bin/python |
|---|
| | | |
|---|
| | | - name: Recover cluster if it missed cert rotation |
|---|
| | | when: ACTION == 'start' |
|---|
| | | # environment: |
|---|
| | | # KUBECONFIG: "cluster-{{ guid }}/auth/kubeconfig" |
|---|
| | | block: |
|---|
| | | - name: Wait 5 minutes for Nodes to settle and pods to start |
|---|
| | | - name: Wait (default 3m) for Nodes to settle and pods to start |
|---|
| | | pause: |
|---|
| | | minutes: 5 |
|---|
| | | - name: Get Node Readiness status |
|---|
| | | shell: "oc get nodes|grep -v AGE|awk -c '{print $2}'" |
|---|
| | | register: r_nodestatus |
|---|
| | | - name: Approve CSRs if Nodes show NotReady |
|---|
| | | when: "'NotReady' in r_nodestatus.stdout_lines" |
|---|
| | | shell: "oc get csr -oname | xargs oc adm certificate approve" |
|---|
| | | seconds: "{{ lifecycle_start_pause | default(180) }}" |
|---|
| | | |
|---|
| | | - name: Get CSRs that need to be approved |
|---|
| | | k8s_facts: |
|---|
| | | api_version: certificates.k8s.io/v1beta1 |
|---|
| | | kind: CertificateSigningRequest |
|---|
| | | # Field selectors don't seem to work |
|---|
| | | # field_selectors: |
|---|
| | | # - status.conditions[0].type="Pending" |
|---|
| | | register: r_csrs |
|---|
| | | |
|---|
| | | - name: Approve all Pending CSRs |
|---|
| | | when: r_csrs.resources | length > 0 |
|---|
| | | command: "oc adm certificate approve {{ item.metadata.name }}" |
|---|
| | | loop: "{{ r_csrs.resources }}" |
|---|
| | | |
|---|
| | | # TODO: Implement proper loop to watch for incoming CSRS while we are |
|---|
| | | # approving them. For now, this is a workaround, just wait and re-approve. |
|---|
| | | - name: Wait 10s for additional CSRs to appear |
|---|
| | | pause: |
|---|
| | | seconds: 10 |
|---|
| | | |
|---|
| | | - name: Get additional CSRs that need to be approved |
|---|
| | | k8s_facts: |
|---|
| | | api_version: certificates.k8s.io/v1beta1 |
|---|
| | | kind: CertificateSigningRequest |
|---|
| | | # Field selectors don't seem to work |
|---|
| | | # field_selectors: |
|---|
| | | # - status.conditions[0].type = "Pending" |
|---|
| | | register: r_new_csrs |
|---|
| | | |
|---|
| | | - name: Approve all additional Pending CSRs |
|---|
| | | when: r_new_csrs.resources | length > 0 |
|---|
| | | command: "oc adm certificate approve {{ item.metadata.name }}" |
|---|
| | | loop: "{{ r_new_csrs.resources }}" |
|---|
