ansible/configs/ocp4-workshop/files/repos_template.j2
@@ -27,3 +27,9 @@ baseurl={{own_repo_path}}/rhel-7-server-ansible-2.8-rpms enabled=1 gpgcheck=0 [pinned-epel-rpms] name=EPEL Pinned (RPMs) baseurl={{own_repo_path}}/epel enabled=1 gpgcheck=0 ansible/configs/ocp4-workshop/software.yml
@@ -25,10 +25,10 @@ remote_src: yes - name: Install awscli become: yes command: /tmp/awscli-bundle/install -i /usr/local/aws -b /bin/aws args: creates: /usr/local/aws become: yes - name: cleanup archive and tmp files file: @@ -51,25 +51,6 @@ aws_access_key_id = {{ hostvars.localhost.student_access_key_id }} aws_secret_access_key = {{ hostvars.localhost.student_secret_access_key }} - name: Ensure PIP and other packages are installed become: yes yum: state: present name: - https://gpte-public.s3.amazonaws.com/python2-pip-8.1.2-9.el7.noarch.rpm - golang - unzip - name: Install Python Packages become: yes pip: state: present name: - botocore - s3transfer - boto - boto3 # For GA Releases - name: Set URLs for OpenShift GA releases when: not ocp4_installer_use_dev_preview | d(False) | bool ansible/roles/bastion/tasks/k8s.yml
@@ -2,23 +2,15 @@ - tags: - bastion_k8s block: # Note: EPEL must be enabled "somewhere". Currently # EPEL comes from {own_repo_path}/{osrelease}/epel # Repo needs to be enabled in repos_template.j2 - name: Install Python2 OpenShift Library (and dependencies) yum: state: present name: - https://gpte-public.s3.amazonaws.com/python-cachetools-1.0.3-1.el7.noarch.rpm - https://gpte-public.s3.amazonaws.com/python2-six-1.9.0-0.el7.noarch.rpm - https://gpte-public.s3.amazonaws.com/python2-rsa-3.4.1-1.el7.noarch.rpm - https://gpte-public.s3.amazonaws.com/python2-google-auth-1.1.1-5.el7.noarch.rpm - https://gpte-public.s3.amazonaws.com/python2-certifi-2018.10.15-5.el7.noarch.rpm - https://gpte-public.s3.amazonaws.com/python2-kubernetes-8.0.1-1.el7.noarch.rpm - https://gpte-public.s3.amazonaws.com/python2-string_utils-0.6.0-4.el7.noarch.rpm - https://gpte-public.s3.amazonaws.com/python2-dictdiffer-0.7.1-2.el7.noarch.rpm - https://gpte-public.s3.amazonaws.com/python2-typing-3.5.2.2-4.el7.noarch.rpm - https://gpte-public.s3.amazonaws.com/python2-ruamel-ordereddict-0.4.9-2.el7.x86_64.rpm - https://gpte-public.s3.amazonaws.com/python2-ruamel-yaml-0.13.14-2.el7.x86_64.rpm - https://gpte-public.s3.amazonaws.com/python2-openshift-0.8.8-1.el7.noarch.rpm - https://gpte-public.s3.amazonaws.com/python2-pip-8.1.2-9.el7.noarch.rpm - python2-openshift - name: Install virtualenv pip: name: virtualenv ansible/roles/host-lets-encrypt-certs-certbot/tasks/main.yml
@@ -18,7 +18,7 @@ - aws_credentials_result.stat.exists == False - name: Set _certbot_wildcard_certs fact set_fact: set_fact: _certbot_wildcard_certs: "{{ (_certbot_wildcard_domain|length|int>0)|ternary('true','false') }}" - name: Test if Let's Encrypt Certificates are already there @@ -30,15 +30,35 @@ when: - cacert.stat.exists|bool == false or _certbot_force_issue|bool block: - name: Install certbot packages - name: Install certbot pip prerequisites in a VirtualEnv become: True yum: pip: state: present virtualenv: /opt/virtualenvs/certbot name: - certbot - "python2-certbot-dns-{{ _certbot_dns_provider }}" state: latest - certbot-dns-{{ _certbot_dns_provider }} # Certbot comes from a pinned EPEL repo # in order for all prerequisites to be # satisfied # - name: Install certbot # become: True # yum: # state: present # name: certbot - name: Copy certbot script become: True template: src: ./templates/run-certbot.j2 dest: /usr/local/bin/run-certbot owner: root group: root mode: 0755 - name: Check if cached certificate archive exists become: false stat: path: "{{ _certbot_cache_archive_file }}" delegate_to: localhost @@ -91,25 +111,16 @@ certbot certonly -n --agree-tos --email {{ _certbot_le_email }} -d {{ _certbot_domain }} {{ (_certbot_wildcard_domain|length>0)|ternary('-d','')}} {{ (_certbot_wildcard_domain|length>0)|ternary(_certbot_wildcard_domain,'')}} {{ (_certbot_production|bool)|ternary('','--test-cert') }} {{ _certbot_additional_args|d(_certbot_args)|d('') }} {{ (_certbot_wildcard_certs|bool)|ternary('--dns-'+_certbot_dns_provider, '') }} --config-dir={{ _certbot_dir }}/config --work-dir={{ _certbot_dir }}/work --logs-dir={{ _certbot_dir }}/logs {{ (_certbot_production|bool)|ternary('','--test-cert') }} {{ _certbot_additional_args|d(_certbot_args)|d('') }} - name: Request API and Wildcard Certificates become: False shell: >- certbot certonly -n --agree-tos --email {{ _certbot_le_email }} -d {{ _certbot_domain }} {{ (_certbot_wildcard_domain|length>0)|ternary('-d','')}} {{ (_certbot_wildcard_domain|length>0)|ternary(_certbot_wildcard_domain,'')}} {{ (_certbot_production|bool)|ternary('','--test-cert') }} {{ _certbot_additional_args|d(_certbot_args)|d('') }} {{ (_certbot_wildcard_certs|bool)|ternary('--dns-'+_certbot_dns_provider, '') }} --config-dir={{ _certbot_dir }}/config --work-dir={{ _certbot_dir }}/work --logs-dir={{ _certbot_dir }}/logs command: /usr/local/bin/run-certbot retries: 5 delay: 30 register: r_request_le ansible/roles/host-lets-encrypt-certs-certbot/templates/run-certbot.j2
New file @@ -0,0 +1,13 @@ #!/bin/bash echo "Activating virtualenv certbot" source /opt/virtualenvs/certbot/bin/activate certbot certonly -n --agree-tos --email {{ _certbot_le_email }} \ -d {{ _certbot_domain }} \ {{ (_certbot_wildcard_domain|length>0)|ternary('-d','')}} {{ (_certbot_wildcard_domain|length>0)|ternary(_certbot_wildcard_domain,'')}} \ {{ (_certbot_wildcard_certs|bool)|ternary('--dns-'+_certbot_dns_provider, '') }} \ --config-dir={{ _certbot_dir }}/config \ --work-dir={{ _certbot_dir }}/work \ --logs-dir={{ _certbot_dir }}/logs \ {{ (_certbot_production|bool)|ternary('','--test-cert') }} \ {{ _certbot_additional_args|d(_certbot_args)|d('') }} ansible/roles/ocp4-workload-aws-jumpbox/tasks/workload.yml
@@ -5,6 +5,15 @@ debug: msg: "Setting up workload for user ocp_username = {{ ocp_username }}" - name: Install Ansible and selinux python library into ocp-install virtualenv become: yes pip: state: present virtualenv: /opt/virtualenvs/ocp-install name: - ansible - selinux - name: Create the Jumpbox directory file: name: "/home/ec2-user/jumpbox" @@ -22,7 +31,7 @@ group: ec2-user loop: - aws_inventory.yml - setup_jumpbox.yml - create_jumpbox.yml - delete_jumpbox.yml - name: Copy Jumpbox Shell Script @@ -33,7 +42,7 @@ owner: ec2-user group: ec2-user loop: - { src: "./templates/setup_jumpbox.j2", dest: "/home/ec2-user/jumpbox/setup_jumpbox.sh" } - { src: "./templates/create_jumpbox.j2", dest: "/home/ec2-user/jumpbox/create_jumpbox.sh" } - { src: "./templates/delete_jumpbox.j2", dest: "/home/ec2-user/jumpbox/delete_jumpbox.sh" } # Leave this as the last task in the playbook. ansible/roles/ocp4-workload-aws-jumpbox/templates/aws_inventory.yml
@@ -1,10 +1,10 @@ --- - name: Get Control Plane Instances - name: "Get Control Plane Instances for cluster {{ cluster_name }}" ec2_instance_facts: region: "{{ aws_region }}" filters: "tag:Name": "*master*" "tag:guid": "{{ cluster_name }}" "tag:guid": "{{ guid }}" register: control_plane - name: Add Control plane Instances to Inventory @@ -26,7 +26,7 @@ region: "{{ aws_region }}" filters: "tag:Name": "*worker*" "tag:guid": "{{ cluster_name }}" "tag:guid": "{{ guid }}" register: workers - name: Add Workers to Inventory ansible/roles/ocp4-workload-aws-jumpbox/templates/create_jumpbox.j2
New file @@ -0,0 +1,4 @@ #!/bin/bash source /opt/virtualenvs/ocp-install/bin/activate ansible-playbook /home/ec2-user/jumpbox/create_jumpbox.yml -e guid={{ guid }} -e cluster_name={{ cluster_name }} -e aws_region={{ aws_region }} ansible/roles/ocp4-workload-aws-jumpbox/templates/create_jumpbox.yml
File was renamed from ansible/roles/ocp4-workload-aws-jumpbox/templates/setup_jumpbox.yml @@ -81,15 +81,15 @@ guid: "{{ guid }}" cluster_name: "{{ cluster_name }}" wait: true register: jumpbox register: r_jumpbox - name: Print Jumpbox information debug: var: jumpbox var: r_jumpbox - name: Add jumpbox instance public IP to host group add_host: name: "{{ jumpbox.instances[0].public_ip }}" name: "{{ r_jumpbox.instances[0].public_ip }}" groups: jumpbox - name: Delete bastion SSH config file @@ -108,13 +108,13 @@ dest: "/home/ec2-user/.ssh/config" marker: "##### {mark} Adding masters with ProxyJump" content: | Host {{ jumpbox.instances[0].public_ip }} Host {{ r_jumpbox.instances[0].public_ip }} User ec2-user StrictHostKeyChecking no Host *.internal User core ProxyJump {{ jumpbox.instances[0].public_ip }} ProxyJump {{ r_jumpbox.instances[0].public_ip }} StrictHostKeyChecking no Match User ec2-user @@ -132,7 +132,7 @@ StrictHostKeyChecking no - name: Wait for SSH to come up delegate_to: "{{ jumpbox.instances[0].public_ip }}" delegate_to: "{{ r_jumpbox.instances[0].public_ip }}" wait_for_connection: delay: 10 timeout: 180 ansible/roles/ocp4-workload-aws-jumpbox/templates/delete_jumpbox.j2
@@ -1,2 +1,4 @@ #!/bin/bash ansible-playbook /home/ec2-user/jumpbox/delete_jumpbox.yml -e guid={{ guid }} -ecluster_name={{ cluster_name }} -eaws_region={{ aws_region }} source /opt/virtualenvs/ocp-install/bin/activate ansible-playbook /home/ec2-user/jumpbox/delete_jumpbox.yml -e guid={{ guid }} -e cluster_name={{ cluster_name }} -e aws_region={{ aws_region }} ansible/roles/ocp4-workload-aws-jumpbox/templates/delete_jumpbox.yml
@@ -23,6 +23,7 @@ region: "{{ aws_region }}" instance_ids: - "{{ jumpboxes['instances'][0].instance_id }}" wait: true - name: Delete SSH security group ec2_group: ansible/roles/ocp4-workload-aws-jumpbox/templates/setup_jumpbox.j2
File was deleted ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/defaults/main.yml
@@ -3,4 +3,4 @@ ocp_username: opentlc-mgr silent: False _lets_encrypt_certificates_install_api: True _lets_encrypt_certificates_install_api: False ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/router-certs.j2
File was deleted ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/tasks/main.yml
@@ -1,5 +1,4 @@ --- # Do not modify this file - name: Running Pre Workload Tasks ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/tasks/workload.yml
@@ -9,12 +9,12 @@ when: install_lets_encrypt_certificates | d(true) | bool block: # This also is in: # The API Server hostname could also be retrieved like this: # oc get infrastructures.config.openshift.io/cluster -o yaml # Although that's the entire URL. Need to strip out https:// and :6443 - name: Determine API server hostname shell: "oc whoami --show-server | cut -f 2 -d ':' | cut -f 3 -d '/' | sed 's/-api././'" register: api_hostname register: r_api_hostname - name: Determine Wildcard Domain k8s_facts: @@ -22,19 +22,19 @@ kind: IngressController name: default namespace: openshift-ingress-operator register: ingress_controller register: r_ingress_controller - name: Print API and Wildcard Domain debug: msg: "API: {{ api_hostname.stdout }}, Wildcard Domain: {{ ingress_controller.resources[0].status.domain }}" msg: "API: {{ r_api_hostname.stdout }}, Wildcard Domain: {{ r_ingress_controller.resources[0].status.domain }}" # /home/{{ ansible_user }}/.aws/credentials needs to exist before calling this role - name: Create Let's Encrypt Certificates include_role: name: host-lets-encrypt-certs-certbot vars: - _certbot_domain: "{{ api_hostname.stdout }}" - _certbot_wildcard_domain: "*.{{ ingress_controller.resources[0].status.domain }}" - _certbot_domain: "{{ r_api_hostname.stdout }}" - _certbot_wildcard_domain: "*.{{ r_ingress_controller.resources[0].status.domain }}" - _certbot_dns_provider: "route53" - _certbot_remote_dir: "/home/{{ ansible_user }}" - _certbot_remote_dir_owner: "{{ ansible_user }}" @@ -59,12 +59,10 @@ - name: Install redeploy hook playbook copy: src: "./files/{{ item }}" dest: "/home/{{ ansible_user }}/certbot/renewal-hooks/deploy/{{ item }}" src: "./files/deploy_certs.yml" dest: "/home/{{ ansible_user }}/certbot/renewal-hooks/deploy/deploy_certs.yml" mode: 0664 owner: "{{ ansible_user }}" loop: - deploy_certs.yml - name: Install redeploy secret templates copy: @@ -78,12 +76,12 @@ - name: Read Certificate slurp: src: "$HOME/certificates/fullchain.pem" src: "/home/{{ ansible_user }}/certificates/fullchain.pem" register: server_cert - name: Read Key slurp: src: "$HOME/certificates/privkey.pem" src: "/home/{{ ansible_user }}/certificates/privkey.pem" register: server_key - name: Create Router Certificate @@ -97,7 +95,7 @@ definition: "{{ lookup('file', './files/router-with-certs.yaml' ) | from_yaml }}" - name: Install API Certificates when: _lets_encrypt_certificates_install_api|bool when: _lets_encrypt_certificates_install_api | bool block: - name: Create API Certificate k8s: