TBD Shared Cluster changes

Jim Rigsbee

2020-02-13 f293921b7cc03d0a862e6ad6c3972f64586008d5

TBD Shared Cluster changes

 ansible/configs/ocp4-workshop/files/install-config.yaml.j2

@@ -3,9 +3,15 @@
baseDomain: {{ ocp4_base_domain | default(guid + subdomain_base_suffix) }}
compute:
- hyperthreading: Enabled
  name: worker 
  name: worker
  platform:
    aws:
{% if ocp_availability_zones is defined %}
      zones:
{% for az in ocp_availability_zones %}
      - {{ az }}
{% endfor %}
{% endif %}
      type: {{ worker_instance_type }}
      rootVolume:
        type: {{ worker_storage_type }}
@@ -15,6 +21,12 @@
  name: master
  platform:
    aws:
{% if ocp_availability_zones is defined %}
      zones:
{% for az in ocp_availability_zones %}
      - {{ az }}
{% endfor %}
{% endif %}
      type: {{ master_instance_type }}
      rootVolume:
        type: {{ master_storage_type }}

 ansible/configs/ocp4-workshop/files/repos_template.j2

@@ -1,27 +1,28 @@
[rhel-7-server-rpms]
name=Red Hat Enterprise Linux 7
baseurl={{own_repo_path}}/rhel-7-server-rpms
baseurl={{own_repo_path}}/ocp/common/rhel-7-server-rpms
enabled=1
gpgcheck=0

[rhel-7-server-rh-common-rpms]
name=Red Hat Enterprise Linux 7 Common
baseurl={{own_repo_path}}/rhel-7-server-rh-common-rpms
baseurl={{own_repo_path}}/ocp/common/rhel-7-server-rh-common-rpms
enabled=1
gpgcheck=0

[rhel-7-server-extras-rpms]
name=Red Hat Enterprise Linux 7 Extras
baseurl={{own_repo_path}}/rhel-7-server-extras-rpms
baseurl={{own_repo_path}}/ocp/common/rhel-7-server-extras-rpms
enabled=1
gpgcheck=0

[rhel-7-server-optional-rpms]
name=Red Hat Enterprise Linux 7 Optional
baseurl={{own_repo_path}}/rhel-7-server-optional-rpms
baseurl={{own_repo_path}}/ocp/common/rhel-7-server-optional-rpms
enabled=1
gpgcheck=0

# TODO: (jbirchler) confirm with Jim that this can be 2.8 not 2.7
[rhel-7-server-ansible-2.8-rpms]
name=Red Hat Enterprise Linux Ansible (RPMs)
baseurl={{own_repo_path}}/rhel-7-server-ansible-2.8-rpms

 ansible/configs/ocp4-workshop/post_software.yml

@@ -395,5 +395,27 @@
  gather_facts: false
  become: false
  tasks:
  - name: Get kubeadmin password
    slurp:
      path: /home/{{ ansible_user }}/{{ cluster_name }}/auth/kubeadmin-password
    register: kubeadminr
    when: report_status | d(false)
  - name: Get Cluster ID
    environment:
      KUBECONFIG: /home/{{ ansible_user }}/{{ cluster_name }}/auth/kubeconfig
    command: oc get clusterversion version -o jsonpath="{.spec.clusterID}"
    register: clusteridr

  - name: Set cluster id
    set_fact:
      cluster_id: "{{ clusteridr.stdout | trim }}"
  - name: Report provisioning status
    include_role:
      name: status-report
    vars:
      classroom_status: "Classroom ready"
      status_json: "{{ lookup('template', 'report.j2') }}"
      bastion_dns_name: "bastion{{ guid }}{{ subdomain_base_suffix }}"
    when: report_status | d(false)
  - debug:
      msg: "Post-Software checks completed successfully"

 ansible/configs/ocp4-workshop/pre_software.yml

@@ -45,6 +45,10 @@
  become: true
  roles:
  - { role: "bastion",              when: 'install_bastion | bool' }
  - role: "status-report-install"
    vars:
      bastion_dns_name: "bastion{{ guid }}{{ subdomain_base_suffix }}" 
    when: 'report_status | d(false)'
  - { role: "bastion-student-user", when: 'install_student_user | bool' }
  - { role: "bastion-opentlc-ipa",  when: 'install_ipa_client | bool' }
  tags:

 ansible/configs/ocp4-workshop/requirements.yml

@@ -4,3 +4,7 @@
- src: https://github.com/redhat-gpte-devopsautomation/ftl-injector
  name: ftl-injector
  version: v0.17.0

# From 'Stouts.wsgi'
- src: https://github.com/Stouts/Stouts.wsgi
  version: 2.1.4

 ansible/configs/ocp4-workshop/software.yml

@@ -1,4 +1,19 @@
---
- name: OpenShift Provisioning Pre-Tasks
  hosts: localhost
  connection: local
  gather_facts: false
  become: no
  tasks:
    - name: Report provisioning status
      include_role:
        name: status-report
      vars:
        classroom_status: "Starting the OpenShift Installation"
        status_json: "{{ lookup('template', 'report-before-install.j2') }}"
        bastion_dns_name: "bastion{{ guid }}{{ subdomain_base_suffix }}"
      when: report_status | d(false)

- name: Step 00xxxxx software
  hosts: bastions
  gather_facts: false
@@ -51,7 +66,16 @@
              aws_access_key_id = {{ hostvars.localhost.student_access_key_id }}
              aws_secret_access_key = {{ hostvars.localhost.student_secret_access_key }}

        # For GA Releases 
        # - name: Install Packages
        #   become: yes
        #   package:
        #     name:
        #       - golang
        #       - python2-boto
        #       - python2-boto3
        #       - unzip

        # For GA Releases
        - name: Set URLs for OpenShift GA releases
          when: not ocp4_installer_use_dev_preview | d(False) | bool
          set_fact:
@@ -203,6 +227,16 @@
          command: oc whoami --show-server
          register: showserver

        - name: Get Cluster ID
          environment:
            KUBECONFIG: /home/{{ ansible_user }}/{{ cluster_name }}/auth/kubeconfig
          command: oc get clusterversion version -o jsonpath="{.spec.clusterID}"
          register: clusteridr

        - name: Set cluster id
          set_fact:
            cluster_id: "{{ clusteridr.stdout | trim }}"

        - name: Print Overview
          debug:
            msg: "{{ item }}"
@@ -233,6 +267,15 @@
            - "user.info: You *CANNOT* SSH into this environment"
          when: not install_student_user | bool

        - name: Report provisioning status
          include_role:
            name: status-report
          vars:
            classroom_status: "OpenShift Installation Completed"
            status_json: "{{ lookup('template', 'report.j2') }}"
            bastion_dns_name: "bastion{{ guid }}{{ subdomain_base_suffix }}"
          when: report_status | d(false)

      always:
        - name: Delete deployinprogress lock file
          file:

 ansible/configs/ocp4-workshop/templates/report-before-install.j2

New file
@@ -0,0 +1 @@
{ "classroom_identifier": "{{ guid }}", "classroom_type": "{{ env_type }}", "classroom_region": "{{ aws_region }}", "status": "{{ classroom_status | d('unknown') }}" }

 ansible/configs/ocp4-workshop/templates/report.j2

New file
@@ -0,0 +1 @@
{ "cluster_id": "{{ cluster_id }}", "cluster_username": "kubeadmin", "cluster_password": "{{ kubeadminr.content | b64decode }}", "cluster_api_url": "api.{{cluster_name}}{{subdomain_base_suffix}}:6443", "classroom_identifier": "{{ guid }}", "classroom_type": "{{ env_type }}", "classroom_region": "{{ aws_region }}", "status": "{{ classroom_status | d('unknown') }}" }

 ansible/roles/bastion/tasks/k8s.yml

New file
@@ -0,0 +1,18 @@
---
- tags:
    - bastion_k8s
  block:
  # TODO: (jbirchler) Ask JimR if this should be deleted (it is deleted upstream)
  # Note: EPEL must be enabled "somewhere". Currently
  # EPEL comes from {own_repo_path}/{osrelease}/epel
  # Repo needs to be enabled in repos_template.j2
  - name: Install Python2 OpenShift Library (and dependencies)
    yum:
      state: present
      name:
      - https://gpte-public.s3.amazonaws.com/python2-pip-8.1.2-9.el7.noarch.rpm
      - python2-openshift
  - name: Install virtualenv
    pip:
      name: virtualenv
      state: present

 ansible/roles/host-lets-encrypt-certs-certbot/tasks/main.yml

@@ -11,7 +11,7 @@
      stat:
        path: "/home/{{ ansible_user }}/.aws/credentials"
      register: aws_credentials_result
      

    - name: Fail if AWS Credentials are not on the host
      fail:
        msg: AWS Credentials are required when requesting certificates for a wildcard domain
@@ -21,7 +21,7 @@
  when: _certbot_dns_provider is match('rfc2136')
  block:
    - name: Verify credential are present on host
      when: _certbot_dns_provider is match('rfc2136') 
      when: _certbot_dns_provider is match('rfc2136')
      stat:
        path: /home/{{ _certbot_user }}/.rfc2136.ini
      register: ddns_credentials_result
@@ -32,7 +32,7 @@
      when: ddns_credentials_result.stat.exists == False

- name: Set _certbot_wildcard_certs fact
  set_fact: 
  set_fact:
    _certbot_wildcard_certs: "{{ (_certbot_wildcard_domain|length|int>0)|ternary('true','false') }}"

- name: Test if Let's Encrypt Certificates are already there
@@ -60,12 +60,12 @@
    become: True
    become_user: "{{ _certbot_user }}"
    command: "/usr/local/bin/virtualenv -p /usr/bin/python3 {{ _certbot_virtualenv }}"
  

  - name: Install Certbot into Virtualenv
    become: true
    become_user: "{{ _certbot_user }}"
    command: "{{ _certbot_virtualenv }}/bin/pip3 install -r /tmp/requirements_certbot.txt"
  

  - name: Copy certbot script to virtualenv
    template:
      src: ./templates/run-certbot.j2
@@ -107,8 +107,8 @@
    - "{{ _certbot_dir }}/config"
    - "{{ _certbot_dir }}/work"
    - "{{ _certbot_dir }}/logs"
    - "{{ _certbot_dir }}/renewal-hooks"
    - "{{ _certbot_dir }}/renewal-hooks/deploy"
    #- "{{ _certbot_dir }}/renewal-hooks"
    #- "{{ _certbot_dir }}/renewal-hooks/deploy"

  - name: Request Certificates from Let's Encrypt (force or no cache)
    when:
@@ -127,12 +127,12 @@
          certbot certonly -n --agree-tos --email {{ _certbot_le_email }}
          -d {{ _certbot_domain }}
          {{ (_certbot_wildcard_domain|length>0)|ternary('-d','')}} {{ (_certbot_wildcard_domain|length>0)|ternary(_certbot_wildcard_domain,'')}}
          {{ (_certbot_production|bool)|ternary('','--test-cert') }}
          {{ _certbot_additional_args|d(_certbot_args)|d('') }}
          {{ (_certbot_wildcard_certs|bool)|ternary('--dns-'+_certbot_dns_provider, '') }}
          --config-dir={{ _certbot_dir }}/config
          --work-dir={{ _certbot_dir }}/work
          --logs-dir={{ _certbot_dir }}/logs
          {{ (_certbot_production|bool)|ternary('','--test-cert') }}
          {{ _certbot_additional_args|d(_certbot_args)|d('') }}

    - name: Request API and Wildcard Certificates
      # become: false

 ansible/roles/host-lets-encrypt-certs-certbot/templates/run-certbot.j2

@@ -2,6 +2,8 @@
echo "Activating virtualenv certbot"
source {{ _certbot_virtualenv }}/bin/activate

# TODO: (jbirchler) Check with Jim about the rfc2136 if block

certbot certonly -n --agree-tos --email {{ _certbot_le_email }} \
  -d {{ _certbot_domain }} \
  {{ (_certbot_wildcard_domain|length>0)|ternary('-d','')}} {{ (_certbot_wildcard_domain|length>0)|ternary(_certbot_wildcard_domain,'')}} \

 ansible/roles/idm-server/tasks/prep.yml

@@ -1,14 +1,16 @@
---

- name: Install required packages
  package:
  yum:
    name: "{{ idm_rpms }}"
    state: installed
    use_backend: dnf

- name: Upgrade NSS package
  package:
  yum:
    name: nss
    state: latest
    use_backend: dnf

# Cannot use a handler here
- name: Ensure firewalld is running

 ansible/roles/mysql/tasks/main.yml

@@ -6,6 +6,7 @@
      name:
        - mariadb-server
        - firewalld
      use_backend: dnf

  - name: Ensure firewalld is running
    service:

 ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/deploy_certs.sh

@@ -1,2 +1,4 @@
#!/bin/bash
ansible-playbook ./deploy_certs.yml
pushd ~/certbot/config/renewal-hooks/deploy
ansible-playbook ./deploy_certs.yml -e cluster_name="{{cluster_name}}"
popd

 ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/deploy_certs.yml

@@ -11,6 +11,8 @@
  - _certbot_install_dir: "/home/{{ ansible_user }}/certificates"
  - _certbot_remote_dir: "/home/{{ ansible_user }}"
  - _certbot_dir: "{{ _certbot_remote_dir }}/certbot"
  environment:
    KUBECONFIG: /home/{{ansible_user}}/{{cluster_name}}/auth/kubeconfig
  tasks:
  - name: Determine API server hostname
    shell: "oc whoami --show-server | cut -f 2 -d ':' | cut -f 3 -d '/' | sed 's/-api././'"
@@ -52,7 +54,7 @@
  - name: Create new Ingress Controller Certificate
    k8s:
      state: present
      definition: "{{ lookup('template', './router-certs.j2' ) | from_yaml }}"
      definition: "{{ lookup('template', './templates/router-certs.j2' ) | from_yaml }}"

  - name: Find Ingress Controller Pods
    k8s_facts:
@@ -107,4 +109,3 @@
      regexp: "^ +certificate-authority-data:"
      state: absent
    loop: "{{r_config_files.files}}"


 ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/tasks/workload.yml

@@ -94,21 +94,30 @@
  - name: Install redeploy hook scripts
    copy:
      src: ./files/deploy_certs.sh
      dest: "/home/{{ ansible_user }}/certbot/renewal-hooks/deploy/deploy_certs.sh"
      dest: "/home/{{ ansible_user }}/certbot/config/renewal-hooks/deploy/deploy_certs.sh"
      mode: 0775
      owner: "{{ ansible_user }}"

  - name: Install redeploy hook playbook
    copy:
      src: "./files/deploy_certs.yml"
      dest: "/home/{{ ansible_user }}/certbot/renewal-hooks/deploy/deploy_certs.yml"
      src: "./files/{{ item }}"
      dest: "/home/{{ ansible_user }}/certbot/config/renewal-hooks/deploy/{{ item }}"
      mode: 0664
      owner: "{{ ansible_user }}"
    loop:
    - deploy_certs.yml
    
  - name: Create template dir
    file:
      name: "/home/{{ ansible_user }}/certbot/config/renewal-hooks/deploy/templates"
      state: directory
      owner: "{{ ansible_user }}"
      mode: 0775

  - name: Install redeploy secret templates
    copy:
      src: "./templates/{{ item }}"
      dest: "/home/{{ ansible_user }}/certbot/renewal-hooks/deploy/{{ item }}"
      dest: "/home/{{ ansible_user }}/certbot/config/renewal-hooks/deploy/templates/{{ item }}"
      mode: 0664
      owner: "{{ ansible_user }}"
    loop:

 ansible/roles/ocp4-workload-idm/files/deploy_certs.sh

@@ -1,4 +1,6 @@
#!/bin/bash
pushd ~/idm/certbot/config/renewal-hooks/deploy
ansible-playbook ./deploy_certs.yml \
  -e "_certbot_domain={{ idm_dns_name }}" \
  -e "idm_dm_password={{ idm_dm_password }}"
  -e 'idm_dm_password={{ idm_dm_password }}'
popd

 ansible/roles/ocp4-workload-idm/files/deploy_certs.yml

@@ -25,6 +25,6 @@

  - name: Install IPA Certificate
    shell: |
      ipa-server-certinstall -w -d /home/{{ ansible_user }}/idm/certificates/privkey.pem /home/{{ ansible_user }}/idm/certificates/fullchain.pem -p {{ idm_dm_password }} --pin=''
      ipa-server-certinstall -w -d /home/{{ ansible_user }}/idm/certificates/privkey.pem /home/{{ ansible_user }}/idm/certificates/fullchain.pem -p '{{ idm_dm_password }}' --pin=''
      ipactl restart
    become: True

 ansible/roles/ocp4-workload-idm/tasks/workload.yml

@@ -41,33 +41,42 @@

- name: Install CAs
  shell: |
    echo {{ idm_admin_password }} | kinit admin
    ipa-cacert-manage -p {{ idm_dm_password }} install /tmp/DSTRootCAX3.pem -n DSTRootCAX3 -t C,,
    ipa-cacert-manage -p {{ idm_dm_password }} install /tmp/LEAuthX3.pem -n LEAuthX3 -t C,,
    echo '{{ idm_admin_password }}' | kinit admin
    ipa-cacert-manage -p '{{ idm_dm_password }}' install /tmp/DSTRootCAX3.pem -n DSTRootCAX3 -t C,,
    ipa-cacert-manage -p '{{ idm_dm_password }}' install /tmp/LEAuthX3.pem -n LEAuthX3 -t C,,
    ipa-certupdate -v
  become: True

- name: Install IPA Certificate
  shell: |
    ipa-server-certinstall -w -d /home/{{ ansible_user }}/idm/certificates/privkey.pem /home/{{ ansible_user }}/idm/certificates/fullchain.pem -p {{ idm_dm_password }} --pin=''
    ipa-server-certinstall -w -d /home/{{ ansible_user }}/idm/certificates/privkey.pem /home/{{ ansible_user }}/idm/certificates/fullchain.pem -p '{{ idm_dm_password }}' --pin=''
    ipactl restart
  become: True

- name: Install redeploy hook scripts
  template:
    src: ./files/deploy_certs.sh
    dest: "/home/{{ ansible_user }}/idm/certbot/renewal-hooks/deploy/deploy_certs.sh"
    dest: "/home/{{ ansible_user }}/idm/certbot/config/renewal-hooks/deploy/deploy_certs.sh"
    mode: 0775
    owner: "{{ ansible_user }}"
- name: Install redeploy hook ansible components
  copy:
    src: "./files/{{ item }}"
    dest: "/home/{{ ansible_user }}/idm/certbot/renewal-hooks/deploy/{{ item }}"
    dest: "/home/{{ ansible_user }}/idm/certbot/config/renewal-hooks/deploy/{{ item }}"
    mode: 0664
    owner: "{{ ansible_user }}"
  loop:
  - deploy_certs.yml

- name: Install AWS python prerequisites
  become: True
  pip:
    state: present
    name:
    - boto
    - botocore
    - boto3

# Find public IP of bastion
- name: Gather VPC facts
  ec2_vpc_net_facts:

 ansible/roles/ocp4-workload-mysql/tasks/workload.yml

@@ -9,6 +9,15 @@
    name: mysql
  vars:
    become_override: yes
    
- name: Install AWS python prerequisites
  become: True
  pip:
    state: present
    name:
    - boto
    - botocore
    - boto3

# Find public IP of bastion
- name: Gather VPC facts

 ansible/roles/ocp4-workload-project-request-template/tasks/workload.yml

@@ -5,6 +5,11 @@
  debug:
    msg: "Setting up workload for user ocp_username = {{ ocp_username }}"

- name: Create Project Request Template
  command: oc apply -f -
  args:
    stdin: "{{ lookup('template', './templates/project_request_template.j2') }}"

- name: Create and enable Project Request Template
  k8s:
    state: present
@@ -13,7 +18,6 @@
    - merge
    definition: "{{ lookup('template', item ) | from_yaml }}"
  loop:
  - ./templates/project_request_template.j2
  - ./templates/project_request_config.j2

- name: Add label to openshift-ingress project