New file |
| | |
| | | = Preparing your Workstation to use the Ansible Playbooks |
| | | |
| | | == Prerequisites |
| | | In order to use these playbooks, you will need to set a few things up. |
| | | |
| | | === AWS Permissions and Policies |
| | | |
| | | AWS credentials for the account above must be used with the AWS command line |
| | | tool (detailed below) |
| | | |
| | | * An AWS IAM account with the following permissions: |
| | | - Policies can be defined for Users, Groups or Roles |
| | | - Navigate to: AWS Dashboard -> Identity & Access Management -> Select Users or Groups or Roles -> Permissions -> Inline Policies -> Create Policy -> Custom Policy |
| | | - Policy Name: openshift (your preference) |
| | | - Policy Document: |
| | | + |
| | | [source,json] |
| | | ---- |
| | | { |
| | | "Version": "2012-10-17", |
| | | "Statement": [ |
| | | { |
| | | "Sid": "Stmt1459269951000", |
| | | "Effect": "Allow", |
| | | "Action": [ |
| | | "cloudformation:*", |
| | | "iam:*", |
| | | "route53:*", |
| | | "elasticloadbalancing:*", |
| | | "ec2:*", |
| | | "cloudwatch:*", |
| | | "autoscaling:*", |
| | | "s3:*" |
| | | ], |
| | | "Resource": [ |
| | | "*" |
| | | ] |
| | | } |
| | | ] |
| | | } |
| | | ---- |
| | | |
| | | NOTE: Finer-grained permissions are possible, and pull requests are welcome. |
| | | |
| | | |
| | | === AWS existing resources |
| | | |
| | | * A route53 |
| | | link:http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/CreatingHostedZone.html[public hosted zone] |
| | | is required for the scripts to create the various DNS entries for the |
| | | resources it creates. Two DNS entries will be created for workshops: |
| | | - `master.guid.domain.tld` - a DNS entry pointing to the master |
| | | - `*.cloudapps.guid.domain.tld` - a wildcard DNS entry pointing to the |
| | | router/infrastructure node |
| | | * An EC2 SSH keypair should be created in advance and you should save the key |
| | | file to your system. |
| | | + |
| | | [source,bash] |
| | | ---- |
| | | REGION=ap-southeast-2 |
| | | KEYNAME=testkeyname |
| | | openssl genrsa -out ~/.ssh/${KEYNAME}.pem 2048 |
| | | openssl rsa -in ~/.ssh/${KEYNAME}.pem -pubout > ~/.ssh/${KEYNAME}.pub |
| | | chmod 400 ~/.ssh/${KEYNAME}.pub |
| | | touch ~/.ssh/config |
| | | aws ec2 import-key-pair --key-name ${KEYNAME} --region=$REGION --output=text --public-key-material "`cat ~/.ssh/${KEYNAME}.pub | grep -v PUBLIC`" |
| | | ---- |
| | | + |
| | | CAUTION: Key pairs are created per region, you will need to specify a different keypair for each region or duplicate the keypair into every region. |
| | | + |
| | | ---- |
| | | REGIONS="ap-southeast-1 ap-southeast-2 OTHER_REGIONS..." |
| | | for REGION in `echo ${REGIONS}` ; |
| | | do |
| | | aws ec2 import-key-pair --key-name ${KEYNAME} --region=$REGION --output=text --public-key-material "`cat ~/.ssh/${KEYNAME}.pub | grep -v PUBLIC`" |
| | | done |
| | | ---- |
| | | |
| | | |
| | | == Software Requirements on workstation |
| | | |
| | | * Some deployments would require a Red Hat Customer Portal account that has |
| | | appropriate subscriptions. This is not required for the playbook themselves. |
| | | + |
| | | NOTE: Red Hat employee subscriptions can be used |
| | | |
| | | |
| | | === Software required for deployment |
| | | |
| | | * [Python](https://www.python.org) version 2.7.x (3.x untested and may not work) |
| | | * [Python Boto](http://docs.pythonboto.org) version 2.41 or greater |
| | | * [Git](http://github.com) any version would do. |
| | | * [Ansible](https://github.com/ansible/ansible) version 2.1.2 or greater |
| | | * [awscli bundle](https://s3.amazonaws.com/aws-cli/awscli-bundle.zip) tested with version 1.11.32 |
| | | Python and the Python dependencies may be installed via your OS' package manager |
| | | (eg: python2-boto on Fedora/CentOS/RHEL) or via |
| | | [pip](https://pypi.python.org/pypi/pip). [Python |
| | | virtualenv](https://pypi.python.org/pypi/virtualenv) can also work. |
| | | |
| | | .Example script to install required software |
| | | [source,bash] |
| | | ---- |
| | | |
| | | # Install basic packages |
| | | yum install -y wget python python-boto unzip tmux git |
| | | |
| | | # Another option to configure python boto is: |
| | | git clone git://github.com/boto/boto.git |
| | | cd boto |
| | | python setup.py install |
| | | |
| | | |
| | | # Enable epel repositories for Ansible |
| | | cd /tmp |
| | | wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm |
| | | sudo yum -y install `ls *epel*.rpm` |
| | | |
| | | # Install ansible and checked install version (required 2.2.0.0) |
| | | yum install -y ansible |
| | | ansible --version |
| | | |
| | | |
| | | ## Install aws cli |
| | | curl "https://s3.amazonaws.com/aws-cli/awscli-bundle.zip" -o "awscli-bundle.zip" |
| | | unzip awscli-bundle.zip |
| | | sudo ./awscli-bundle/install -i /usr/local/aws -b /bin/aws |
| | | aws --version |
| | | |
| | | ---- |
| | | |
| | | == Configuring your workstation |
| | | |
| | | === Configure the EC2 Credentials |
| | | |
| | | * You will need to place your EC2 credentials in the ~/.aws/credentials file: |
| | | [source, shell] |
| | | ---- |
| | | mkdir ~/.aws |
| | | cat << EOF >> ~/.aws/credentials |
| | | [default] |
| | | aws_access_key_id = AKIAJAAYOURACCESSKEY |
| | | aws_secret_access_key = rT54UYOURSECRETACCESSKEY |
| | | |
| | | EOF |
| | | ---- |
| | | |
| | | * Add the SSH Key to the SSH Agent (optional) |
| | | If your operating system has an SSH agent and you are not using your default |
| | | configured SSH key, you will need to add the private key you use with your EC2 |
| | | instances to your SSH agent: |
| | | + |
| | | ---- |
| | | ssh-add <path to key file> |
| | | ---- |
| | | |
| | | NOTE: If you use an SSH config that specifies what keys to use for what |
| | | hosts this step may not be necessary. |