More checks. Check for ClusterVersion to make the role work on both 4.1 and...

Wolfgang Kulhanek

2020-03-14 c37a78f35516ddd06f3430fcb2ea545175a83269

 ansible/roles/ocp4-workload-quay-operator/tasks/workload.yml

@@ -1,49 +1,93 @@
---
# Implement your Workload deployment tasks here
- name: Set up combined ocp4_workload_quay_operator dictionary
  set_fact:
    ocp4_workload_quay_operator: >-
      {{ ocp4_workload_quay_operator_defaults
       | combine(ocp4_workload_quay_operator_vars    | default( {} ),
                 ocp4_workload_quay_operator_secrets | default( {} ), recursive=true)
      }}
- name: Print combined role variables
  debug:
    var: ocp4_workload_quay_operator
    verbosity: 2

- name: Setting up workload for user
  debug:
    msg: "Setting up workload for user ocp_username = {{ ocp_username }}"

- name: Generate Quay Superuser Password
- name: Get ClusterVersion
  k8s_facts:
    api_version: config.openshift.io/v1
    kind: ClusterVersion
    name: version
  register: r_cluster_version
- name: Set ocp4_workload_quay_operator_cluster_version fact
  set_fact:
    _quay_superuser_password: "{{ lookup('password', '/dev/null length=12 chars=ascii_letters') }}"
  when:
  - _quay_superuser_password is not defined or _quay_superuser_password|length == 0
    ocp4_workload_quay_operator_cluster_version: "{{ r_cluster_version.resources[0].status.history[0].version }}"
- name: Print OpenShift version
  debug:
    msg: "Installing Quay Operator for OpenShift Version: {{ ocp4_workload_quay_operator_cluster_version }}"

- name: Check if certificates exist on bastion VM
- name: Generate Quay Superuser Password
  when:
  - ocp4_workload_quay_operator.superuser_password is not defined or ocp4_workload_quay_operator.superuser_password|length == 0
  set_fact:
    ocp4_workload_quay_operator_superuser_password: "{{ lookup('password', '/dev/null length=12 chars=ascii_letters') }}"

- name: Use provided Quay Superuser Password
  when:
  - ocp4_workload_quay_operator.superuser_password is defined
  - ocp4_workload_quay_operator.superuser_password|length > 0
  set_fact:
    ocp4_workload_quay_operator_superuser_password: "{{ ocp4_workload_quay_operator.superuser_password }}"

- name: Use provided key file
  when: ocp4_workload_quay_operator.ssl_key | length > 0
  set_fact:
    ocp4_workload_quay_operator_ssl_key: ocp4_workload_quay_operator.ssl_key

- name: Otherwise check if key file exist on bastion VM
  become: yes
  become_user: root
  when:
  - _quay_ssl_certificate | length == 0
  - _quay_ssl_key | length == 0
  when: ocp4_workload_quay_operator.ssl_key | length == 0
  block:
  - name: Check for Key file on Bastion
    stat:
      path: "/home/ec2-user/certificates/privkey.pem"
      path: "/home/{{ ansible_user }}/certificates/privkey.pem"
    register: r_ssl_key
  - name: Read Key file from Bastion
    when: r_ssl_key.stat.exists
    slurp:
      src: "/home/ec2-user/certificates/privkey.pem"
      src: "/home/{{ ansible_user }}/certificates/privkey.pem"
    register: _quay_ssl_key_file
  - name: Set ocp4_workload_quay_operator_ssl_key
    when: r_ssl_key.stat.exists
    set_fact:
      ocp4_workload_quay_operator_ssl_key: "{{ _quay_ssl_key_file['content'] }}"

- name: Use provided certificate file
  when: ocp4_workload_quay_operator.ssl_certificate | length > 0
  set_fact:
    ocp4_workload_quay_operator_ssl_certificate: ocp4_workload_quay_operator.ssl_certificate

- name: Otherwise check if certificate file exist on bastion VM
  become: yes
  become_user: root
  when: ocp4_workload_quay_operator.ssl_certificate | length == 0
  block:
  - name: Check for Certificate file on Bastion
    stat:
      path: "/home/ec2-user/certificates/fullchain.pem"
      path: "/home/{{ ansible_user }}/certificates/fullchain.pem"
    register: r_ssl_cert
  - name: Read Certificate file from Bastion
    when: r_ssl_cert.stat.exists
    slurp:
      src: "/home/ec2-user/certificates/fullchain.pem"
      src: "/home/{{ ansible_user }}/certificates/fullchain.pem"
    register: _quay_ssl_cert_file

- name: Set ssl variables
  when:
  - _quay_ssl_key_file is defined
  - _quay_ssl_cert_file is defined
  set_fact:
    _quay_ssl_key: "{{ _quay_ssl_key_file['content'] }}"
    _quay_ssl_certificate: "{{ _quay_ssl_cert_file['content'] }}"
  - name: Set ocp4_workload_quay_operator_ssl_certificate
    when: r_ssl_cert.stat.exists
    set_fact:
      ocp4_workload_quay_operator_ssl_certificate: "{{ _quay_ssl_cert_file['content'] }}"

- name: Determine Cluster Base Domain for Quay Route
  k8s_facts:
@@ -52,59 +96,134 @@
    name: cluster
  register: r_ingress_config

- name: Set the Base Domain for Quay
- name: Use Provided Quay route
  when:
  - ocp4_workload_quay_operator.route is defined
  - ocp4_workload_quay_operator.route | length > 0
  set_fact:
    _quay_route: "quay-{{ guid }}.{{ r_ingress_config.resources[0].spec.domain }}"
    ocp4_workload_quay_operator_quay_route: "{{ ocp4_workload_quay_operator.route }}"

- name: Create OpenShift Objects for Red Hat Quay Registry prerequisites
- name: Otherwise use quay-{{guid}}.basedomain for the Quay route
  when: ocp4_workload_quay_operator.route is not defined or ocp4_workload_quay_operator.route | length == 0
  set_fact:
    ocp4_workload_quay_operator_quay_route: "quay-{{ guid }}.{{ r_ingress_config.resources[0].spec.domain }}"

- name: Create Quay Operator Resources
  k8s:
    state: present
    merge_type:
    - strategic-merge
    - merge
    definition: "{{ lookup('template', item ) | from_yaml }}"
    definition:  "{{ lookup('template', item ) | from_yaml }}"
  loop:
  - ./templates/project.j2
  - ./templates/crd.j2
  - ./templates/service_account.j2
  - ./templates/cluster_role.j2
  - ./templates/cluster_role_binding.j2
  - ./templates/role.j2
  - ./templates/role_binding.j2
  - ./templates/operator.j2
  - ./templates/catalogsourceconfig.j2
  - ./templates/operatorgroup.j2
  - ./templates/subscription.j2
  - ./templates/pull_secret.j2
  - ./templates/quay_superuser_secret.j2
  - ./templates/quay_config_secret.j2

- name: Create OpenShift Objects for Red Hat Quay Registry Certificates
  when:
  - _quay_ssl_certificate | length > 0
  - _quay_ssl_key | length > 0
  - ocp4_workload_quay_operator_ssl_certificate | length > 0
  - ocp4_workload_quay_operator_ssl_key | length > 0
  k8s:
    state: present
    merge_type:
    - strategic-merge
    - merge
    definition: "{{ lookup('template', item ) | from_yaml }}"
  loop:
  - ./templates/quay_ssl_certificate_secret.j2

- name: Create OpenShift Objects for Red Hat Quay Registry
- name: Wait for ClusterServiceVersion to appear
  k8s_facts:
    api_version: operators.coreos.com/v1alpha1
    kind: ClusterServiceVersion
    namespace: "{{ ocp4_workload_quay_operator.project }}"
    name: "{{ ocp4_workload_quay_operator.starting_csv }}"
  register: r_csv
  until: r_csv.resources | length > 0
  retries: 30
  delay: 10

- name: Wait for Quay operator to be ready
  k8s_facts:
    api_version: v1
    kind: Deployment
    namespace: "{{ ocp4_workload_quay_operator.project }}"
    name: "quay-operator"
  register: r_qo_deployment
  retries: 30
  delay: 10
  until:
  - r_qo_deployment.resources | length | int > 0
  - r_qo_deployment.resources[0].status.availableReplicas is defined
  - r_qo_deployment.resources[0].status.availableReplicas | int == r_qo_deployment.resources[0].spec.replicas | int
 
- name: Create Red Hat Quay Registry
  k8s:
    state: present
    merge_type:
    - strategic-merge
    - merge
    definition: "{{ lookup('template', item ) | from_yaml }}"
  loop:
  - ./templates/quay.j2

- name: Verify successful rollout
  when: ocp4_workload_quay_operator.verify_deployment | bool
  block:
  - name: Wait for Quay App Pod to appear
    k8s_facts:
      api_version: v1
      kind: Pod
      namespace: "{{ ocp4_workload_quay_operator.project }}"
      label_selectors:
      - app=quay-operator
      - quay-enterprise-component=app
    register: r_quay_pod
    until: r_quay_pod.resources | length > 0
    retries: 30
    delay: 10

  - name: Pause 10 seconds to give containers a chance to initialize
    pause:
      seconds: 10

  - name: Wait for Quay App Pod Status to be Ready
    k8s_facts:
      api_version: v1
      kind: Pod
      namespace: "{{ ocp4_workload_quay_operator.project }}"
      label_selectors:
      - app=quay-operator
      - quay-enterprise-component=app
    register: r_running_quay_pod
    until: >-
      r_running_quay_pod.resources[0].status.containerStatuses[0].ready | bool
    ignore_errors: true
    retries: 15
    delay: 5

  # - name: Restart crashing Pod to pick up SCC
  #   when:
  #   - not r_running_quay_pod.resources[0].status.containerStatuses[0].ready | bool
  #   - r_running_quay_pod.resources[0].status.containerStatuses[0].state.waiting.reason is match("CrashLoopBackOff")
  #     or r_running_quay_pod.resources[0].status.containerStatuses[0].state.waiting.reason is match("Error")
  #   k8s:
  #     state: absent
  #     api_version: v1
  #     kind: Pod
  #     name: "{{ r_running_quay_pod.resources[0].metadata.name }}"
  #     namespace: "{{ ocp4_workload_quay_operator.project }}"

- name: Get Quay Hostname
  k8s_facts:
    api_version: redhatcop.redhat.io/v1alpha1
    kind: QuayEcosystem
    name: "{{ ocp4_workload_quay_operator.name }}"
    namespace: "{{ ocp4_workload_quay_operator.project }}"
  register: r_quay

- name: Print Student as user.info
  debug:
    msg: "{{ item }}"
  with_items:
  - "user.info: Quay is available at https://{{ _quay_route }}. It may take up to 5 minutes for this route to respond."
  - "user.info: The Quay Super User is {{ _quay_superuser_username }} with password {{ _quay_superuser_password }}"
  - "user.info: Red Hat Quay is available at https://{{r_quay.resources[0].status.hostname }}."
  - "user.info: The Red Hat Quay Super User is {{ ocp4_workload_quay_operator.superuser_username }} with password {{ ocp4_workload_quay_operator_superuser_password }}"

# Leave this as the last task in the playbook.
- name: workload tasks complete