ansible/configs/ocp4-workshop/files/install-config.yaml.j2
@@ -3,9 +3,15 @@ baseDomain: {{ ocp4_base_domain | default(guid + subdomain_base_suffix) }} compute: - hyperthreading: Enabled name: worker name: worker platform: aws: {% if ocp_availability_zones is defined %} zones: {% for az in ocp_availability_zones %} - {{ az }} {% endfor %} {% endif %} type: {{ worker_instance_type }} rootVolume: type: {{ worker_storage_type }} @@ -15,6 +21,12 @@ name: master platform: aws: {% if ocp_availability_zones is defined %} zones: {% for az in ocp_availability_zones %} - {{ az }} {% endfor %} {% endif %} type: {{ master_instance_type }} rootVolume: type: {{ master_storage_type }} ansible/configs/ocp4-workshop/files/repos_template.j2
@@ -1,27 +1,28 @@ [rhel-7-server-rpms] name=Red Hat Enterprise Linux 7 baseurl={{own_repo_path}}/rhel-7-server-rpms baseurl={{own_repo_path}}/ocp/common/rhel-7-server-rpms enabled=1 gpgcheck=0 [rhel-7-server-rh-common-rpms] name=Red Hat Enterprise Linux 7 Common baseurl={{own_repo_path}}/rhel-7-server-rh-common-rpms baseurl={{own_repo_path}}/ocp/common/rhel-7-server-rh-common-rpms enabled=1 gpgcheck=0 [rhel-7-server-extras-rpms] name=Red Hat Enterprise Linux 7 Extras baseurl={{own_repo_path}}/rhel-7-server-extras-rpms baseurl={{own_repo_path}}/ocp/common/rhel-7-server-extras-rpms enabled=1 gpgcheck=0 [rhel-7-server-optional-rpms] name=Red Hat Enterprise Linux 7 Optional baseurl={{own_repo_path}}/rhel-7-server-optional-rpms baseurl={{own_repo_path}}/ocp/common/rhel-7-server-optional-rpms enabled=1 gpgcheck=0 # TODO: (jbirchler) confirm with Jim that this can be 2.8 not 2.7 [rhel-7-server-ansible-2.8-rpms] name=Red Hat Enterprise Linux Ansible (RPMs) baseurl={{own_repo_path}}/rhel-7-server-ansible-2.8-rpms ansible/configs/ocp4-workshop/post_software.yml
@@ -395,5 +395,27 @@ gather_facts: false become: false tasks: - name: Get kubeadmin password slurp: path: /home/{{ ansible_user }}/{{ cluster_name }}/auth/kubeadmin-password register: kubeadminr when: report_status | d(false) - name: Get Cluster ID environment: KUBECONFIG: /home/{{ ansible_user }}/{{ cluster_name }}/auth/kubeconfig command: oc get clusterversion version -o jsonpath="{.spec.clusterID}" register: clusteridr - name: Set cluster id set_fact: cluster_id: "{{ clusteridr.stdout | trim }}" - name: Report provisioning status include_role: name: status-report vars: classroom_status: "Classroom ready" status_json: "{{ lookup('template', 'report.j2') }}" bastion_dns_name: "bastion{{ guid }}{{ subdomain_base_suffix }}" when: report_status | d(false) - debug: msg: "Post-Software checks completed successfully" ansible/configs/ocp4-workshop/pre_software.yml
@@ -45,6 +45,10 @@ become: true roles: - { role: "bastion", when: 'install_bastion | bool' } - role: "status-report-install" vars: bastion_dns_name: "bastion{{ guid }}{{ subdomain_base_suffix }}" when: 'report_status | d(false)' - { role: "bastion-student-user", when: 'install_student_user | bool' } - { role: "bastion-opentlc-ipa", when: 'install_ipa_client | bool' } tags: ansible/configs/ocp4-workshop/requirements.yml
@@ -4,3 +4,7 @@ - src: https://github.com/redhat-gpte-devopsautomation/ftl-injector name: ftl-injector version: v0.17.0 # From 'Stouts.wsgi' - src: https://github.com/Stouts/Stouts.wsgi version: 2.1.4 ansible/configs/ocp4-workshop/software.yml
@@ -1,4 +1,19 @@ --- - name: OpenShift Provisioning Pre-Tasks hosts: localhost connection: local gather_facts: false become: no tasks: - name: Report provisioning status include_role: name: status-report vars: classroom_status: "Starting the OpenShift Installation" status_json: "{{ lookup('template', 'report-before-install.j2') }}" bastion_dns_name: "bastion{{ guid }}{{ subdomain_base_suffix }}" when: report_status | d(false) - name: Step 00xxxxx software hosts: bastions gather_facts: false @@ -51,7 +66,16 @@ aws_access_key_id = {{ hostvars.localhost.student_access_key_id }} aws_secret_access_key = {{ hostvars.localhost.student_secret_access_key }} # For GA Releases # - name: Install Packages # become: yes # package: # name: # - golang # - python2-boto # - python2-boto3 # - unzip # For GA Releases - name: Set URLs for OpenShift GA releases when: not ocp4_installer_use_dev_preview | d(False) | bool set_fact: @@ -203,6 +227,16 @@ command: oc whoami --show-server register: showserver - name: Get Cluster ID environment: KUBECONFIG: /home/{{ ansible_user }}/{{ cluster_name }}/auth/kubeconfig command: oc get clusterversion version -o jsonpath="{.spec.clusterID}" register: clusteridr - name: Set cluster id set_fact: cluster_id: "{{ clusteridr.stdout | trim }}" - name: Print Overview debug: msg: "{{ item }}" @@ -233,6 +267,15 @@ - "user.info: You *CANNOT* SSH into this environment" when: not install_student_user | bool - name: Report provisioning status include_role: name: status-report vars: classroom_status: "OpenShift Installation Completed" status_json: "{{ lookup('template', 'report.j2') }}" bastion_dns_name: "bastion{{ guid }}{{ subdomain_base_suffix }}" when: report_status | d(false) always: - name: Delete deployinprogress lock file file: ansible/configs/ocp4-workshop/templates/report-before-install.j2
New file @@ -0,0 +1 @@ { "classroom_identifier": "{{ guid }}", "classroom_type": "{{ env_type }}", "classroom_region": "{{ aws_region }}", "status": "{{ classroom_status | d('unknown') }}" } ansible/configs/ocp4-workshop/templates/report.j2
New file @@ -0,0 +1 @@ { "cluster_id": "{{ cluster_id }}", "cluster_username": "kubeadmin", "cluster_password": "{{ kubeadminr.content | b64decode }}", "cluster_api_url": "api.{{cluster_name}}{{subdomain_base_suffix}}:6443", "classroom_identifier": "{{ guid }}", "classroom_type": "{{ env_type }}", "classroom_region": "{{ aws_region }}", "status": "{{ classroom_status | d('unknown') }}" } ansible/roles/bastion/tasks/k8s.yml
New file @@ -0,0 +1,18 @@ --- - tags: - bastion_k8s block: # TODO: (jbirchler) Ask JimR if this should be deleted (it is deleted upstream) # Note: EPEL must be enabled "somewhere". Currently # EPEL comes from {own_repo_path}/{osrelease}/epel # Repo needs to be enabled in repos_template.j2 - name: Install Python2 OpenShift Library (and dependencies) yum: state: present name: - https://gpte-public.s3.amazonaws.com/python2-pip-8.1.2-9.el7.noarch.rpm - python2-openshift - name: Install virtualenv pip: name: virtualenv state: present ansible/roles/host-lets-encrypt-certs-certbot/tasks/main.yml
@@ -11,7 +11,7 @@ stat: path: "/home/{{ ansible_user }}/.aws/credentials" register: aws_credentials_result - name: Fail if AWS Credentials are not on the host fail: msg: AWS Credentials are required when requesting certificates for a wildcard domain @@ -21,7 +21,7 @@ when: _certbot_dns_provider is match('rfc2136') block: - name: Verify credential are present on host when: _certbot_dns_provider is match('rfc2136') when: _certbot_dns_provider is match('rfc2136') stat: path: /home/{{ _certbot_user }}/.rfc2136.ini register: ddns_credentials_result @@ -32,7 +32,7 @@ when: ddns_credentials_result.stat.exists == False - name: Set _certbot_wildcard_certs fact set_fact: set_fact: _certbot_wildcard_certs: "{{ (_certbot_wildcard_domain|length|int>0)|ternary('true','false') }}" - name: Test if Let's Encrypt Certificates are already there @@ -60,12 +60,12 @@ become: True become_user: "{{ _certbot_user }}" command: "/usr/local/bin/virtualenv -p /usr/bin/python3 {{ _certbot_virtualenv }}" - name: Install Certbot into Virtualenv become: true become_user: "{{ _certbot_user }}" command: "{{ _certbot_virtualenv }}/bin/pip3 install -r /tmp/requirements_certbot.txt" - name: Copy certbot script to virtualenv template: src: ./templates/run-certbot.j2 @@ -107,8 +107,8 @@ - "{{ _certbot_dir }}/config" - "{{ _certbot_dir }}/work" - "{{ _certbot_dir }}/logs" - "{{ _certbot_dir }}/renewal-hooks" - "{{ _certbot_dir }}/renewal-hooks/deploy" #- "{{ _certbot_dir }}/renewal-hooks" #- "{{ _certbot_dir }}/renewal-hooks/deploy" - name: Request Certificates from Let's Encrypt (force or no cache) when: @@ -127,12 +127,12 @@ certbot certonly -n --agree-tos --email {{ _certbot_le_email }} -d {{ _certbot_domain }} {{ (_certbot_wildcard_domain|length>0)|ternary('-d','')}} {{ (_certbot_wildcard_domain|length>0)|ternary(_certbot_wildcard_domain,'')}} {{ (_certbot_production|bool)|ternary('','--test-cert') }} {{ _certbot_additional_args|d(_certbot_args)|d('') }} {{ (_certbot_wildcard_certs|bool)|ternary('--dns-'+_certbot_dns_provider, '') }} --config-dir={{ _certbot_dir }}/config --work-dir={{ _certbot_dir }}/work --logs-dir={{ _certbot_dir }}/logs {{ (_certbot_production|bool)|ternary('','--test-cert') }} {{ _certbot_additional_args|d(_certbot_args)|d('') }} - name: Request API and Wildcard Certificates # become: false ansible/roles/host-lets-encrypt-certs-certbot/templates/run-certbot.j2
@@ -2,6 +2,8 @@ echo "Activating virtualenv certbot" source {{ _certbot_virtualenv }}/bin/activate # TODO: (jbirchler) Check with Jim about the rfc2136 if block certbot certonly -n --agree-tos --email {{ _certbot_le_email }} \ -d {{ _certbot_domain }} \ {{ (_certbot_wildcard_domain|length>0)|ternary('-d','')}} {{ (_certbot_wildcard_domain|length>0)|ternary(_certbot_wildcard_domain,'')}} \ ansible/roles/idm-server/tasks/prep.yml
@@ -1,14 +1,16 @@ --- - name: Install required packages package: yum: name: "{{ idm_rpms }}" state: installed use_backend: dnf - name: Upgrade NSS package package: yum: name: nss state: latest use_backend: dnf # Cannot use a handler here - name: Ensure firewalld is running ansible/roles/mysql/tasks/main.yml
@@ -6,6 +6,7 @@ name: - mariadb-server - firewalld use_backend: dnf - name: Ensure firewalld is running service: ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/deploy_certs.sh
@@ -1,2 +1,4 @@ #!/bin/bash ansible-playbook ./deploy_certs.yml pushd ~/certbot/config/renewal-hooks/deploy ansible-playbook ./deploy_certs.yml -e cluster_name="{{cluster_name}}" popd ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/files/deploy_certs.yml
@@ -11,6 +11,8 @@ - _certbot_install_dir: "/home/{{ ansible_user }}/certificates" - _certbot_remote_dir: "/home/{{ ansible_user }}" - _certbot_dir: "{{ _certbot_remote_dir }}/certbot" environment: KUBECONFIG: /home/{{ansible_user}}/{{cluster_name}}/auth/kubeconfig tasks: - name: Determine API server hostname shell: "oc whoami --show-server | cut -f 2 -d ':' | cut -f 3 -d '/' | sed 's/-api././'" @@ -52,7 +54,7 @@ - name: Create new Ingress Controller Certificate k8s: state: present definition: "{{ lookup('template', './router-certs.j2' ) | from_yaml }}" definition: "{{ lookup('template', './templates/router-certs.j2' ) | from_yaml }}" - name: Find Ingress Controller Pods k8s_facts: @@ -107,4 +109,3 @@ regexp: "^ +certificate-authority-data:" state: absent loop: "{{r_config_files.files}}" ansible/roles/ocp4-workload-enable-lets-encrypt-certificates/tasks/workload.yml
@@ -94,21 +94,30 @@ - name: Install redeploy hook scripts copy: src: ./files/deploy_certs.sh dest: "/home/{{ ansible_user }}/certbot/renewal-hooks/deploy/deploy_certs.sh" dest: "/home/{{ ansible_user }}/certbot/config/renewal-hooks/deploy/deploy_certs.sh" mode: 0775 owner: "{{ ansible_user }}" - name: Install redeploy hook playbook copy: src: "./files/deploy_certs.yml" dest: "/home/{{ ansible_user }}/certbot/renewal-hooks/deploy/deploy_certs.yml" src: "./files/{{ item }}" dest: "/home/{{ ansible_user }}/certbot/config/renewal-hooks/deploy/{{ item }}" mode: 0664 owner: "{{ ansible_user }}" loop: - deploy_certs.yml - name: Create template dir file: name: "/home/{{ ansible_user }}/certbot/config/renewal-hooks/deploy/templates" state: directory owner: "{{ ansible_user }}" mode: 0775 - name: Install redeploy secret templates copy: src: "./templates/{{ item }}" dest: "/home/{{ ansible_user }}/certbot/renewal-hooks/deploy/{{ item }}" dest: "/home/{{ ansible_user }}/certbot/config/renewal-hooks/deploy/templates/{{ item }}" mode: 0664 owner: "{{ ansible_user }}" loop: ansible/roles/ocp4-workload-idm/files/deploy_certs.sh
@@ -1,4 +1,6 @@ #!/bin/bash pushd ~/idm/certbot/config/renewal-hooks/deploy ansible-playbook ./deploy_certs.yml \ -e "_certbot_domain={{ idm_dns_name }}" \ -e "idm_dm_password={{ idm_dm_password }}" -e 'idm_dm_password={{ idm_dm_password }}' popd ansible/roles/ocp4-workload-idm/files/deploy_certs.yml
@@ -25,6 +25,6 @@ - name: Install IPA Certificate shell: | ipa-server-certinstall -w -d /home/{{ ansible_user }}/idm/certificates/privkey.pem /home/{{ ansible_user }}/idm/certificates/fullchain.pem -p {{ idm_dm_password }} --pin='' ipa-server-certinstall -w -d /home/{{ ansible_user }}/idm/certificates/privkey.pem /home/{{ ansible_user }}/idm/certificates/fullchain.pem -p '{{ idm_dm_password }}' --pin='' ipactl restart become: True ansible/roles/ocp4-workload-idm/tasks/workload.yml
@@ -41,33 +41,42 @@ - name: Install CAs shell: | echo {{ idm_admin_password }} | kinit admin ipa-cacert-manage -p {{ idm_dm_password }} install /tmp/DSTRootCAX3.pem -n DSTRootCAX3 -t C,, ipa-cacert-manage -p {{ idm_dm_password }} install /tmp/LEAuthX3.pem -n LEAuthX3 -t C,, echo '{{ idm_admin_password }}' | kinit admin ipa-cacert-manage -p '{{ idm_dm_password }}' install /tmp/DSTRootCAX3.pem -n DSTRootCAX3 -t C,, ipa-cacert-manage -p '{{ idm_dm_password }}' install /tmp/LEAuthX3.pem -n LEAuthX3 -t C,, ipa-certupdate -v become: True - name: Install IPA Certificate shell: | ipa-server-certinstall -w -d /home/{{ ansible_user }}/idm/certificates/privkey.pem /home/{{ ansible_user }}/idm/certificates/fullchain.pem -p {{ idm_dm_password }} --pin='' ipa-server-certinstall -w -d /home/{{ ansible_user }}/idm/certificates/privkey.pem /home/{{ ansible_user }}/idm/certificates/fullchain.pem -p '{{ idm_dm_password }}' --pin='' ipactl restart become: True - name: Install redeploy hook scripts template: src: ./files/deploy_certs.sh dest: "/home/{{ ansible_user }}/idm/certbot/renewal-hooks/deploy/deploy_certs.sh" dest: "/home/{{ ansible_user }}/idm/certbot/config/renewal-hooks/deploy/deploy_certs.sh" mode: 0775 owner: "{{ ansible_user }}" - name: Install redeploy hook ansible components copy: src: "./files/{{ item }}" dest: "/home/{{ ansible_user }}/idm/certbot/renewal-hooks/deploy/{{ item }}" dest: "/home/{{ ansible_user }}/idm/certbot/config/renewal-hooks/deploy/{{ item }}" mode: 0664 owner: "{{ ansible_user }}" loop: - deploy_certs.yml - name: Install AWS python prerequisites become: True pip: state: present name: - boto - botocore - boto3 # Find public IP of bastion - name: Gather VPC facts ec2_vpc_net_facts: ansible/roles/ocp4-workload-mysql/tasks/workload.yml
@@ -9,6 +9,15 @@ name: mysql vars: become_override: yes - name: Install AWS python prerequisites become: True pip: state: present name: - boto - botocore - boto3 # Find public IP of bastion - name: Gather VPC facts ansible/roles/ocp4-workload-project-request-template/tasks/workload.yml
@@ -5,6 +5,11 @@ debug: msg: "Setting up workload for user ocp_username = {{ ocp_username }}" - name: Create Project Request Template command: oc apply -f - args: stdin: "{{ lookup('template', './templates/project_request_template.j2') }}" - name: Create and enable Project Request Template k8s: state: present @@ -13,7 +18,6 @@ - merge definition: "{{ lookup('template', item ) | from_yaml }}" loop: - ./templates/project_request_template.j2 - ./templates/project_request_config.j2 - name: Add label to openshift-ingress project