| ansible/cloud_providers/ec2_infrastructure_deployment.yml | ●●●●● patch | view | raw | blame | history | |
| ansible/configs/ocp-workshop/env_vars.yml | ●●●●● patch | view | raw | blame | history | |
| ansible/configs/ocp-workshop/files/cloud_providers/ec2_cloud_template.j2 | ●●●●● patch | view | raw | blame | history | |
| ansible/configs/ocp-workshop/files/hosts_template.j2 | ●●●●● patch | view | raw | blame | history | |
| ansible/configs/ocp-workshop/pre_software.yml | ●●●●● patch | view | raw | blame | history | |
| ansible/roles/lets-encrypt/README.md | ●●●●● patch | view | raw | blame | history | |
| ansible/roles/lets-encrypt/files/defaults/main.yml | ●●●●● patch | view | raw | blame | history | |
| ansible/roles/lets-encrypt/tasks/main.yml | ●●●●● patch | view | raw | blame | history | |
| scripts/README.adoc | ●●●●● patch | view | raw | blame | history |
ansible/cloud_providers/ec2_infrastructure_deployment.yml
@@ -114,11 +114,31 @@ copy: dest: "{{ANSIBLE_REPO_PATH}}/workdir/{{ env_type }}.{{ guid }}.s3user.credentials" content: | * S3 Bucket for registry: {{s3user}} * S3 Bucket for registry: {{s3user}} ** S3User access key: {{s3user_access_key}} ** S3User secret key: {{s3user_secret_access_key}} when: s3user_access_key is defined - name: get Route53User credentials from stack outputs set_fact: route53user: "{{ cloudformation_out.stack_outputs.Route53User }}" route53user_access_key: "{{ cloudformation_out.stack_outputs.Route53UserAccessKey }}" route53user_secret_access_key: "{{ cloudformation_out.stack_outputs.Route53UserSecretAccessKey }}" when: - cloudformation_out.stack_outputs.Route53UserAccessKey is defined - cloudformation_out.stack_outputs.Route53UserSecretAccessKey is defined tags: - provision_cf_template - name: write down Route53User credentials copy: dest: "{{ANSIBLE_REPO_PATH}}/workdir/{{ env_type }}.{{ guid }}.route53user.credentials" content: | * Route53 User for Let's Encrypt: {{ route53user }} ** Route53User access key: {{ route53user_access_key }} ** Route53User secret key: {{ route53user_secret_access_key }} when: route53user_access_key is defined - name: Gather EC2 facts ec2_remote_facts: aws_access_key: "{{ aws_access_key_id }}" ansible/configs/ocp-workshop/env_vars.yml
@@ -45,8 +45,8 @@ ocp_report: false install_ipa_client: false remove_self_provisioners: false install_lets_encrypt_certificates: true # you can also use: allow_all, htpasswd, ldap install_idm: ldap idm_ca_url: http://ipa.opentlc.com/ipa/config/ca.crt install_metrics: true ansible/configs/ocp-workshop/files/cloud_providers/ec2_cloud_template.j2
@@ -328,6 +328,26 @@ {% endfor %} {% endfor %} Route53User: Type: AWS::IAM::User Properties: Policies: - PolicyName: Route53Access PolicyDocument: Statement: - Effect: Allow Action: route53domains:* Resource: "*" - Effect: Allow Action: route53:* Resource: "*" Route53UserAccessKey: Type: AWS::IAM::AccessKey Properties: UserName: Ref: Route53User RegistryS3: Type: "AWS::S3::Bucket" Properties: @@ -407,3 +427,17 @@ - S3UserAccessKey - SecretAccessKey Description: IAM User for RegistryS3 Route53User: Value: Ref: Route53User Description: IAM User for Route53 (Let's Encrypt) Route53UserAccessKey: Value: Ref: Route53UserAccessKey Description: IAM User for Route53 (Let's Encrypt) Route53UserSecretAccessKey: Value: Fn::GetAtt: - Route53UserAccessKey - SecretAccessKey Description: IAM User for Route53 (Let's Encrypt) ansible/configs/ocp-workshop/files/hosts_template.j2
@@ -66,6 +66,10 @@ openshift_master_default_subdomain={{cloudapps_suffix}} openshift_master_overwrite_named_certificates={{openshift_master_overwrite_named_certificates}} {% if install_lets_encrypt_certificates %} openshift_master_named_certificates=[{"certfile": "/root/.acme.sh/{{ master_lb_dns }}/{{ master_lb_dns }}.cer", "keyfile": "/root/.acme.sh/{{ master_lb_dns }}/{{ master_lb_dns }}.key", "cafile": "/root/fakeleintermediatex1.pem"}] {% endif %} openshift_set_hostname=True ########################################################################### @@ -82,8 +86,6 @@ # This should be turned on once all dependent scripts use firewalld rather than iptables # os_firewall_use_firewalld=True {% endif %} {% if osrelease | version_compare('3.7', '>=') %} ########################################################################### @@ -135,8 +137,6 @@ openshift_metrics_cassanda_pvc_storage_class_name='' openshift_hosted_metrics_storage_volume_name=metrics {% endif %} #openshift_master_metrics_public_url=https://hawkular-metrics.{{cloudapps_suffix}}/hawkular/metrics ## Add Prometheus Metrics: openshift_hosted_prometheus_deploy=true @@ -222,7 +222,6 @@ openshift_hosted_logging_storage_volume_name=logging {% endif %} # openshift_logging_kibana_hostname=kibana.{{cloudapps_suffix}} openshift_logging_es_cluster_size=1 {% else %} @@ -241,9 +240,6 @@ openshift_hosted_logging_hostname=kibana.{{cloudapps_suffix}} openshift_hosted_logging_elasticsearch_cluster_size=1 openshift_hosted_logging_deployer_version=v{{repo_version}} # This one is wrong (down arrow) #openshift_hosted_logging_image_version=v{{repo_version}} #openshift_logging_image_version=v{{repo_version}} {% endif %} openshift_logging_es_nodeselector={"env":"infra"} @@ -263,7 +259,10 @@ openshift_hosted_router_selector='env=infra' openshift_hosted_router_replicas={{infranode_instance_count}} #openshift_hosted_router_certificate={"certfile": "/path/to/router.crt", "keyfile": "/path/to/router.key", "cafile": "/path/to/router-ca.crt"} {% if install_lets_encrypt_certificates %} openshift_hosted_router_certificate={"certfile": "/root/.acme.sh/{{ master_lb_dns }}/{{ master_lb_dns }}.cer", "keyfile": "/root/.acme.sh/{{ master_lb_dns }}/{{ master_lb_dns }}.key", "cafile": "/root/fakeleintermediatex1.pem"} {% endif %} openshift_hosted_registry_selector='env=infra' openshift_hosted_registry_replicas=1 ansible/configs/ocp-workshop/pre_software.yml
@@ -47,6 +47,15 @@ - { role: "{{ ANSIBLE_REPO_PATH }}/roles/common", when: 'install_common' } - { role: "{{ ANSIBLE_REPO_PATH }}/roles/set_env_authorized_key", when: 'set_env_authorized_key' } - name: Request Let's Encrypt Wildcard Certificates hosts: bastions[0] become: true vars_files: - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml" roles: - { role: "{{ ANSIBLE_REPO_PATH }}/roles/lets-encrypt", when: 'install_lets_encrypt_certificates' } - name: Configuring Bastion Hosts hosts: bastions become: true ansible/roles/lets-encrypt/README.md
New file @@ -0,0 +1,38 @@ Role Name ========= A brief description of the role goes here. Requirements ------------ Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. Role Variables -------------- A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. Dependencies ------------ A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. Example Playbook ---------------- Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - hosts: servers roles: - { role: username.rolename, x: 42 } License ------- BSD Author Information ------------------ An optional section for the role authors to include contact information, or a website (HTML is not allowed). ansible/roles/lets-encrypt/files/defaults/main.yml
New file @@ -0,0 +1,2 @@ --- # defaults file for bastion ansible/roles/lets-encrypt/tasks/main.yml
New file @@ -0,0 +1,45 @@ --- ## Request Let's Encrypt Wildcard Certificates for the Cluster ## Make sure to import the intermediate ## certificate (https://letsencrypt.org/certs/fakeleintermediatex1.pem) ## Into your browser to accept all newly created certificates - name: Get Temporary CA Certificate get_url: url: https://letsencrypt.org/certs/fakeleintermediatex1.pem dest: /root/fakeleintermediatex1.pem - name: Remove Let's Encrypt directory if it's there file: path: /root/acme.sh state: absent - name: Remove Let's Encrypt cache if it's there file: path: /root/.acme.sh state: absent - name: Clone Let's Encrypt Repo git: repo: https://github.com/Neilpang/acme.sh.git clone: yes dest: /root/acme.sh version: 2 - name: Add AWS Access Key to Let's Encrypt configuration lineinfile: path: /root/acme.sh/dnsapi/dns_aws.sh line: AWS_ACCESS_KEY_ID="{{ hostvars['localhost'].route53user_access_key }}" state: present insertbefore: '^#AWS_ACCESS_KEY_ID' - name: Add AWS Secret Access Key to Let's Encrypt configuration lineinfile: path: /root/acme.sh/dnsapi/dns_aws.sh line: AWS_SECRET_ACCESS_KEY="{{ hostvars['localhost'].route53user_secret_access_key }}" state: present insertbefore: '^#AWS_SECRET_ACCESS_KEY' - name: Request Wildcard Certificates from Let's Encrypt shell: "/root/acme.sh/acme.sh --server https://acme-staging-v02.api.letsencrypt.org/directory --test --issue -d {{ master_lb_dns }} -d *.{{ cloudapps_suffix }} --dns dns_aws" args: chdir: /root/acme.sh scripts/README.adoc
@@ -15,7 +15,7 @@ ENVTYPE_ARGS=( -e osrelease=3.5.5.31 -e "bastion_instance_type=t2.large" -e "master_instance_type=c4.xlarge" -e "master_instance_type=c4.xlarge" -e "infranode_instance_type=c4.4xlarge" -e "node_instance_type=c4.4xlarge" -e "nfs_instance_type=m3.large"
