ansible/configs/ocp4-workshop/destroy_env.yml
@@ -139,6 +139,33 @@ aws ec2 wait instance-running --filters "Name=tag:clusterid,Values={{ cluster_name }}" - name: Remove workloads hosts: bastions gather_facts: false run_once: true become: false tasks: - name: Remove ocp workloads when: - remove_workloads | d("") | length > 0 tags: - remove_workloads block: - name: Set facts for remote access set_fact: ansible_ssh_extra_args: >- {{ ansible_ssh_extra_args|d() }} -F {{hostvars.localhost.output_dir}}/{{ env_type }}_{{ guid }}_ssh_conf - name: Invoke roles to remove ocp workloads include_role: name: "{{ workload_loop_var }}" vars: ocp_username: "system:admin" ACTION: "remove" loop: "{{ remove_workloads }}" loop_control: loop_var: workload_loop_var - name: Destroy OCP 4 resources using the installer hosts: bastions gather_facts: false ansible/configs/ocp4-workshop/env_vars.yml
@@ -3,7 +3,7 @@ ### Common Host settings # Repo Method. One of file, satellite and rhn repo_method: file repo_method: file #If using repo_method: satellite, you must set these values as well. # satellite_url: satellite.example.com @@ -49,8 +49,10 @@ ## Install Authentication. ## Valid options are none, htpasswd, ldap (and maybe in the future sso) ## For LDAP a bindPassword needs to be passed via the command line ## Another valid option is local-ldap if you use the ocp4-workload-idm workload install_idm: "none" idm_ca_url: http://ipa.opentlc.com/ipa/config/ca.crt auth_remove_kubeadmin: true ### If you want a Key Pair name created and injected into the hosts, # set `set_env_authorized_key` to true and set the keyname in `env_authorized_key` @@ -121,6 +123,10 @@ # - ocp4-workload-userquota-operator # - ocp4-workload-enable-lets-encrypt-certificates # - ocp4-workload-metering # Some workloads create infrastructure that needs to be removed # when deleting the software or infrastructure remove_workloads: [] # Variables for default workloads. Ultimately these will be parameters to the workloads but for now they are global _infra_node_replicas: 1 @@ -206,7 +212,8 @@ count: "{{clientvm_instance_count}}" unique: "{{ true if clientvm_instance_count | int <= 1 else false }}" public_dns: true alt_name: bastion alt_name: - bastion flavor: "ec2": "{{clientvm_instance_type}}" tags: ansible/configs/ocp4-workshop/files/cloud_providers/ec2_cloud_template.j2
@@ -311,11 +311,12 @@ - "Fn::GetAtt": - {{instance['name']}}{{loop.index}} - PublicIp {% if 'alt_name' in instance and instance.alt_name != '' %} {% if 'alt_name' in instance %} {% if instance.alt_name is string %} {% if instance['unique'] | d(false) | bool %} - Name: "{{instance['alt_name']}}.{{subdomain_base}}." - Name: "{{instance.alt_name}}.{{subdomain_base}}." {% else %} - Name: "{{instance['alt_name']}}{{loop.index}}.{{subdomain_base}}." - Name: "{{instance.alt_name}}{{loop.index}}.{{subdomain_base}}." {% endif %} Type: A TTL: {{ aws_dns_ttl_public }} @@ -323,7 +324,23 @@ - "Fn::GetAtt": - {{instance['name']}}{{loop.index}} - PublicIp {% endif %} {% else %} {% set outer_loop = loop %} {% for name in instance.alt_name|default([]) %} {% if instance['unique'] | d(false) | bool %} - Name: "{{name}}.{{subdomain_base}}." {% else %} - Name: "{{name}}{{outer_loop.index}}.{{subdomain_base}}." {% endif %} Type: A TTL: {{ aws_dns_ttl_public }} ResourceRecords: - "Fn::GetAtt": - {{instance['name']}}{{outer_loop.index}} - PublicIp {% endfor %} {% endif %} {% endif %} {% endif %} {% endfor %} {% endfor %} ansible/configs/ocp4-workshop/post_software.yml
@@ -175,7 +175,7 @@ - name: Create LDAP Bind Password Secret shell: "oc create secret generic opentlc-ldap-secret --from-literal=bindPassword=\"{{ bindPassword }}\" -n openshift-config" ignore_errors: true - name: Upload OAuth Configuration File - name: Upload OAuth Configuration File copy: src: "./files/oauth-opentlc-ldap.yaml" dest: "/home/{{ ansible_user }}/oauth-opentlc-ldap.yaml" @@ -197,6 +197,7 @@ when: - admin_user is defined - install_idm != "none" - auth_remove_kubeadmin command: oc delete secret kubeadmin -n kube-system ignore_errors: true
@@ -56,6 +56,7 @@ package: name: - golang - python2-boto - python2-boto3 - unzip @@ -236,7 +237,7 @@ gather_facts: false become: false tasks: # NOT Pre-installed # NOT Pre-installed - name: Print Student aws access as user.info debug: msg: "{{ item }}" ansible/roles/idm-server/defaults/main.yml
New file @@ -0,0 +1,10 @@ --- # defaults file for idm idm_principal: admin idm_rpms: - ipa-server - firewalld - python-firewall
New file @@ -0,0 +1,7 @@ --- # handlers file for idm - name: Ensure IdM is running at boot service: name: ipa enabled: yes ansible/roles/idm-server/tasks/configure_idm.yml
New file @@ -0,0 +1,22 @@ --- - setup: gather_subset: - network - name: Setup hostname entry lineinfile: dest: /etc/hosts line: "{{ ansible_default_ipv4.address }} {{ idm_dns_name }}" state: present - name: Configure initial IdM setup command: > ipa-server-install -U --hostname="{{ idm_dns_name | default(ansible_fqdn) }}" --domain="{{ idm_domain }}" --realm="{{ idm_realm | upper }}" --ds-password="{{ idm_dm_password }}" --admin-password="{{ idm_admin_password }}" --no-host-dns ignore_errors: true notify: Ensure IdM is running at boot ansible/roles/idm-server/tasks/main.yml
New file @@ -0,0 +1,5 @@ --- # tasks file for idm - import_tasks: prep.yml - import_tasks: configure_idm.yml ansible/roles/idm-server/tasks/prep.yml
New file @@ -0,0 +1,28 @@ --- - name: Install required packages package: name: "{{ idm_rpms }}" state: installed # Cannot use a handler here - name: Ensure firewalld is running service: name: firewalld state: started enabled: yes - name: Open Firewall for IdM use firewalld: service: "{{ item }}" permanent: yes state: enabled immediate: yes with_items: - ntp - http - https - ldap - ldaps - kerberos - kpasswd ansible/roles/infra-ec2-template-generate/tasks/main.yml
@@ -16,6 +16,11 @@ - aws_infrastructure_deployment - gen_cf_template - name: Stop if debugging template fail: msg: "Check template here: {{ cloudformation_template }}" when: debug_template|d(false)|bool ######################### Copy CF Template to S3 if too big - name: Stat CloudFormation template stat: ansible/roles/mysql/README.adoc
New file @@ -0,0 +1,5 @@ = mysql - Provision MySQL instance on bastion == Role overview * This role installs mariadb and configures it on the bastion server ansible/roles/mysql/defaults/main.yml
New file @@ -0,0 +1 @@ --- ansible/roles/mysql/files/prime.sql
New file @@ -0,0 +1,2 @@ GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY '{{ mysql_root_password }}' WITH GRANT OPTION; FLUSH PRIVILEGES; ansible/roles/mysql/tasks/main.yml
New file @@ -0,0 +1,41 @@ --- - block: - name: Install MySQL packages yum: state: present name: - mariadb-server - firewalld - name: Ensure firewalld is running service: name: firewalld state: started enabled: yes - name: Open Firewall for MySQL use firewalld: service: "{{ item }}" permanent: yes state: enabled immediate: yes with_items: - mysql - name: Ensure MySQL is running at boot service: name: mariadb enabled: yes state: started - name: Setup up SQL commands template: src: files/prime.sql dest: /tmp/prime.sql mode: 400 when: mysql_root_password is defined - name: Setup root account shell: mysql </tmp/prime.sql when: mysql_root_password is defined become: true ansible/roles/ocp4-workload-idm/README.adoc
New file @@ -0,0 +1,6 @@ = ocp4-workload-idm - Install and Configure Identity Manager on bastion == Role overview * Installs IdM and initializes it * Creates a reverse lookup zone for the IdM alternate DNS name ansible/roles/ocp4-workload-idm/defaults/main.yml
New file @@ -0,0 +1,6 @@ --- become_override: no ocp_username: system:admin silent: False auth_remove_kubeadmin: true ansible/roles/ocp4-workload-idm/files/oauth-ldap.yaml
New file @@ -0,0 +1,22 @@ apiVersion: config.openshift.io/v1 kind: OAuth metadata: name: cluster spec: identityProviders: - name: {{ idm_domain_name }} mappingMethod: claim type: LDAP ldap: attributes: id: - dn email: name: - cn preferredUsername: - uid bindDN: "" insecure: true url: "ldap://{{idm_dns_name}}/cn=users,cn=accounts,dc={{cluster_name}},dc={{env}},dc=nextcle,dc=com?uid" ansible/roles/ocp4-workload-idm/tasks/main.yml
New file @@ -0,0 +1,31 @@ --- # Do not modify this file - name: Running Pre Workload Tasks include_tasks: file: ./pre_workload.yml apply: become: "{{ become_override | bool }}" when: ACTION == "create" or ACTION == "provision" - name: Running Workload Tasks include_tasks: file: ./workload.yml apply: become: "{{ become_override | bool }}" when: ACTION == "create" or ACTION == "provision" - name: Running Post Workload Tasks include_tasks: file: ./post_workload.yml apply: become: "{{ become_override | bool }}" when: ACTION == "create" or ACTION == "provision" - name: Running Workload removal Tasks include_tasks: file: ./remove_workload.yml apply: become: "{{ become_override | bool }}" when: ACTION == "destroy" or ACTION == "remove" ansible/roles/ocp4-workload-idm/tasks/post_workload.yml
New file @@ -0,0 +1,9 @@ --- # Implement your Post Workload deployment tasks here # Leave this as the last task in the playbook. - name: post_workload tasks complete debug: msg: "Post-Workload Tasks completed successfully." when: not silent|bool ansible/roles/ocp4-workload-idm/tasks/pre_workload.yml
New file @@ -0,0 +1,8 @@ --- # Implement your Pre Workload deployment tasks here # Leave this as the last task in the playbook. - name: pre_workload tasks complete debug: msg: "Pre-Workload tasks completed successfully." when: not silent|bool ansible/roles/ocp4-workload-idm/tasks/remove_workload.yml
New file @@ -0,0 +1,62 @@ --- # Implement your Workload removal tasks here # Find IP of bastion - name: Gather VPC facts ec2_vpc_net_facts: filters: tag:Name: "{{ aws_vpc_name }}" region: "{{ aws_region_final | default(aws_region) }}" register: vpc - name: Get instance facts ec2_instance_facts: filters: # FIXME - find a better way to discover the bastion name "tag:Name": "{{ instances[0].name }}" region: "{{ aws_region_final | default(aws_region) }}" register: instancesr failed_when: instancesr|length == 0 - name: Get non-terminated instance set_fact: ec2instance: "{{ item }}" with_items: - "{{ instancesr.instances }}" when: not item.state.name == 'terminated' failed_when: ec2instance is undefined # Remove external DNS of IdM in OpenShift cluster private zone - name: Get cluster metadata slurp: path: "{{ cluster_name }}/metadata.json" register: metadata - name: Get cluster infrastructure ID set_fact: cluster_vpc_name: "{{ metadata.content | b64decode | from_json | json_query('infraID')}}-vpc" - name: Gather Cluster VPC facts ec2_vpc_net_facts: filters: tag:Name: "{{ cluster_vpc_name }}" region: "{{ aws_region_final | default(aws_region) }}" register: cluster_vpc failed_when: cluster_vpc.vpcs | length == 0 - name: Remove Private DNS Entry for IdM in cluster private zone route53: state: absent private_zone: yes record: "{{ idm_dns_name }}" type: A ttl: 60 value: "{{ ec2instance.public_ip_address }}" zone: "{{ cluster_name }}{{ subdomain_base_suffix }}." vpc_id: "{{ cluster_vpc.vpcs[0].vpc_id }}" # Leave this as the last task in the playbook. - name: remove_workload tasks complete debug: msg: "Remove Workload tasks completed successfully." when: not silent|bool ansible/roles/ocp4-workload-idm/tasks/workload.yml
New file @@ -0,0 +1,111 @@ --- # Implement your Workload deployment tasks here - name: Setting up workload for user debug: msg: "Setting up workload for user ocp_username = {{ ocp_username }}" - include_role: name: idm-server vars: become_override: yes # Find public IP of bastion - name: Gather VPC facts ec2_vpc_net_facts: filters: tag:Name: "{{ aws_vpc_name }}" region: "{{ aws_region_final | default(aws_region) }}" register: vpc - name: Get instance facts ec2_instance_facts: filters: # FIXME - find a better way to discover the bastion name "tag:Name": "{{ instances[0].name }}" region: "{{ aws_region_final | default(aws_region) }}" register: instancesr failed_when: instancesr|length == 0 - name: Get non-terminated instance set_fact: ec2instance: "{{ item }}" with_items: - "{{ instancesr.instances }}" when: not item.state.name == 'terminated' failed_when: ec2instance is undefined # Make external DNS of IdM available to OpenShift cluster - name: Get cluster metadata slurp: path: "{{ cluster_name }}/metadata.json" register: metadata - name: Get cluster infrastructure ID set_fact: cluster_vpc_name: "{{ metadata.content | b64decode | from_json | json_query('infraID')}}-vpc" - name: Gather Cluster VPC facts ec2_vpc_net_facts: filters: tag:Name: "{{ cluster_vpc_name }}" region: "{{ aws_region_final | default(aws_region) }}" register: cluster_vpc failed_when: cluster_vpc.vpcs | length == 0 - name: Create Private DNS Entry for IdM in cluster private zone route53: state: present overwrite: yes private_zone: yes record: "{{ idm_dns_name }}" type: A ttl: 60 value: "{{ ec2instance.public_ip_address }}" zone: "{{ cluster_name }}{{ subdomain_base_suffix }}." vpc_id: "{{ cluster_vpc.vpcs[0].vpc_id }}" - name: Configure Local Authentication when: - install_ocp4 | d(False) | bool - install_idm is defined environment: KUBECONFIG: "{{ cluster_name }}/auth/kubeconfig" block: - name: Set up Local IdM LDAP when: - install_idm == "local-ldap" block: - name: Create admin user when: admin_user is defined ipa_user: name: "{{ admin_user }}" password: "{{ admin_password }}" state: present givenname: OpenShift sn: Administrator mail: - "{{ email }}" ipa_host: "{{ idm_dns_name }}" ipa_user: admin ipa_pass: "{{ idm_admin_password }}" - name: Upload OAuth Configuration File template: src: "./files/oauth-ldap.yaml" dest: "/home/{{ ansible_user }}/oauth-ldap.yaml" owner: "{{ ansible_user }}" mode: 0664 - name: Update OAuth Configuration shell: "oc apply -f /home/{{ ansible_user }}/oauth-ldap.yaml" - name: Remove kubeadmin User when: - admin_user is defined - auth_remove_kubeadmin command: oc delete secret kubeadmin -n kube-system ignore_errors: true # Leave this as the last task in the playbook. - name: workload tasks complete debug: msg: "Workload Tasks completed successfully." when: not silent|bool ansible/roles/ocp4-workload-mysql/README.adoc
New file @@ -0,0 +1,7 @@ = ocp4-workload-mysql - Install and Configure MySQL (MariaDB) on bastion == Role overview * Installs MariaDB and initializes it * Creates a reverse lookup zone for the MySQL alternate DNS name in the OpenShift cluster zone ansible/roles/ocp4-workload-mysql/defaults/main.yml
New file @@ -0,0 +1,4 @@ --- become_override: no ocp_username: system:admin silent: False ansible/roles/ocp4-workload-mysql/tasks/main.yml
New file @@ -0,0 +1,31 @@ --- # Do not modify this file - name: Running Pre Workload Tasks include_tasks: file: ./pre_workload.yml apply: become: "{{ become_override | bool }}" when: ACTION == "create" or ACTION == "provision" - name: Running Workload Tasks include_tasks: file: ./workload.yml apply: become: "{{ become_override | bool }}" when: ACTION == "create" or ACTION == "provision" - name: Running Post Workload Tasks include_tasks: file: ./post_workload.yml apply: become: "{{ become_override | bool }}" when: ACTION == "create" or ACTION == "provision" - name: Running Workload removal Tasks include_tasks: file: ./remove_workload.yml apply: become: "{{ become_override | bool }}" when: ACTION == "destroy" or ACTION == "remove" ansible/roles/ocp4-workload-mysql/tasks/post_workload.yml
New file @@ -0,0 +1,9 @@ --- # Implement your Post Workload deployment tasks here # Leave this as the last task in the playbook. - name: post_workload tasks complete debug: msg: "Post-Workload Tasks completed successfully." when: not silent|bool ansible/roles/ocp4-workload-mysql/tasks/pre_workload.yml
New file @@ -0,0 +1,8 @@ --- # Implement your Pre Workload deployment tasks here # Leave this as the last task in the playbook. - name: pre_workload tasks complete debug: msg: "Pre-Workload tasks completed successfully." when: not silent|bool ansible/roles/ocp4-workload-mysql/tasks/remove_workload.yml
New file @@ -0,0 +1,62 @@ --- # Implement your Workload removal tasks here # Find IP of bastion - name: Gather VPC facts ec2_vpc_net_facts: filters: tag:Name: "{{ aws_vpc_name }}" region: "{{ aws_region_final | default(aws_region) }}" register: vpc - name: Get instance facts ec2_instance_facts: filters: # FIXME - find a better way to discover the bastion name "tag:Name": "{{ instances[0].name }}" region: "{{ aws_region_final | default(aws_region) }}" register: instancesr failed_when: instancesr|length == 0 - name: Get non-terminated instance set_fact: ec2instance: "{{ item }}" with_items: - "{{ instancesr.instances }}" when: not item.state.name == 'terminated' failed_when: ec2instance is undefined # Remove external DNS of MySQL in OpenShift cluster private zone - name: Get cluster metadata slurp: path: "{{ cluster_name }}/metadata.json" register: metadata - name: Get cluster infrastructure ID set_fact: cluster_vpc_name: "{{ metadata.content | b64decode | from_json | json_query('infraID')}}-vpc" - name: Gather Cluster VPC facts ec2_vpc_net_facts: filters: tag:Name: "{{ cluster_vpc_name }}" region: "{{ aws_region_final | default(aws_region) }}" register: cluster_vpc failed_when: cluster_vpc.vpcs | length == 0 - name: Remove Private DNS Entry for MySQL in cluster private zone route53: state: absent private_zone: yes record: "{{ mysql_dns_name }}" type: A ttl: 60 value: "{{ ec2instance.public_ip_address }}" zone: "{{ cluster_name }}{{ subdomain_base_suffix }}." vpc_id: "{{ cluster_vpc.vpcs[0].vpc_id }}" # Leave this as the last task in the playbook. - name: remove_workload tasks complete debug: msg: "Remove Workload tasks completed successfully." when: not silent|bool ansible/roles/ocp4-workload-mysql/tasks/workload.yml
New file @@ -0,0 +1,72 @@ --- # Implement your Workload deployment tasks here - name: Setting up workload for user debug: msg: "Setting up workload for user ocp_username = {{ ocp_username }}" - include_role: name: mysql vars: become_override: yes # Find public IP of bastion - name: Gather VPC facts ec2_vpc_net_facts: filters: tag:Name: "{{ aws_vpc_name }}" region: "{{ aws_region_final | default(aws_region) }}" register: vpc - name: Get instance facts ec2_instance_facts: filters: # FIXME - find a better way to discover the bastion name "tag:Name": "{{ instances[0].name }}" region: "{{ aws_region_final | default(aws_region) }}" register: instancesr failed_when: instancesr|length == 0 - name: Get non-terminated instance set_fact: ec2instance: "{{ item }}" with_items: - "{{ instancesr.instances }}" when: not item.state.name == 'terminated' failed_when: ec2instance is undefined # Make external DNS of MySQL available to OpenShift cluster - name: Get cluster metadata slurp: path: "{{ cluster_name }}/metadata.json" register: metadata - name: Get cluster infrastructure ID set_fact: cluster_vpc_name: "{{ metadata.content | b64decode | from_json | json_query('infraID')}}-vpc" - name: Gather Cluster VPC facts ec2_vpc_net_facts: filters: tag:Name: "{{ cluster_vpc_name }}" region: "{{ aws_region_final | default(aws_region) }}" register: cluster_vpc failed_when: cluster_vpc.vpcs | length == 0 - name: Create Private DNS Entry for MySQL in cluster private zone route53: state: present overwrite: yes private_zone: yes record: "{{ mysql_dns_name }}" type: A ttl: 60 value: "{{ ec2instance.public_ip_address }}" zone: "{{ cluster_name }}{{ subdomain_base_suffix }}." vpc_id: "{{ cluster_vpc.vpcs[0].vpc_id }}" # Leave this as the last task in the playbook. - name: workload tasks complete debug: msg: "Workload Tasks completed successfully." when: not silent|bool tools/archive/archived_roles/ipa-server/README.md
tools/archive/archived_roles/ipa-server/handlers/main.yml
tools/archive/archived_roles/ipa-server/tasks/main.yml
