RedHatTraining/agnosticd.git

parent: dc92b981 | patch | commit | ignore whitespace

Set of fixes to make the provisioning of DO999 and DO280 courses compatible...

Razique Mahroua

2020-03-18 b85c91a8192593f6b62f93e11c971868964343a9

Set of fixes to make the provisioning of DO999 and DO280 courses
compatible with the upstream code.

* Define the Python 3 virtual environment as the Python interpreter for
  the provisioning (ocp4-workshop)
* Set a default value for the 'aws_instance_wait_for_stop' variable in
  the ocp4-workshop role
* Add the boto packages as requirements for the virtual environment
* Fix an issue in the 'lets-encrypt-certs-certbot' role that would
  prevent the installation of the certificates
* Replace the usage of the 'package' module with 'yum' to make the role
  compatible with RHEL 7.X machines
* Replace the usage of the 'firewalld' module with 'shell' to make the
  role compatible with RHEL 7.X machines
* Add boto pre-requisites in the 'remove_workload.yml' playbook
* Force the issue of the let's encrypt cert (WIP)

8 files modified

	ansible/configs/ocp4-workshop/destroy_env.yml	6 ●●●●● patch \| view \| raw \| blame \| history
	ansible/configs/ocp4-workshop/files/requirements_k8s.txt	3 ●●●●● patch \| view \| raw \| blame \| history
	ansible/configs/ocp4-workshop/lifecycle.yml	4 ●●●●● patch \| view \| raw \| blame \| history
	ansible/roles/host-lets-encrypt-certs-certbot/tasks/main.yml	30 ●●●●● patch \| view \| raw \| blame \| history
	ansible/roles/idm-server/tasks/prep.yml	33 ●●●●● patch \| view \| raw \| blame \| history
	ansible/roles/mysql/tasks/main.yml	18 ●●●●● patch \| view \| raw \| blame \| history
	ansible/roles/ocp4-workload-idm/tasks/remove_workload.yml	8 ●●●●● patch \| view \| raw \| blame \| history
	ansible/roles/ocp4-workload-idm/tasks/workload.yml	2 ●●●●● patch \| view \| raw \| blame \| history

 ansible/configs/ocp4-workshop/destroy_env.yml

@@ -145,6 +145,9 @@
  run_once: true
  become: false
  tasks:
  - name: Set Ansible Python interpreter to k8s virtualenv
    set_fact:
      ansible_python_interpreter: /opt/virtualenvs/k8s/bin/python
  - name: Remove ocp workloads
    when:
    - remove_workloads | d("") | length > 0
@@ -348,10 +351,11 @@
        aws route53 list-hosted-zones-by-name
        --dns-name {{ aws_public_zone }}
        --max-items 4
        --output json
      register: awsroute53zone
      changed_when: false
      retries: 5
      delay: "{{ 60|random(start=3, step=1) }}"
      delay: "{{ 60|random(start=10, step=1) }}"
      until: awsroute53zone is succeeded

    - name: delete zones

 ansible/configs/ocp4-workshop/files/requirements_k8s.txt

@@ -2,6 +2,9 @@
ansible==2.8.8
asn1crypto==1.3.0
bcrypt==3.1.7
botocore==1.15.15
boto3==1.12.15
boto==2.49.0
cachetools==4.0.0
certifi==2019.11.28
cffi==1.13.2

 ansible/configs/ocp4-workshop/lifecycle.yml

@@ -64,7 +64,7 @@
      when: ACTION == 'stop'
      ec2_instance:
        state: stopped
        wait: {{ aws_instance_wait_for_stop }}
        wait: "{{ aws_instance_wait_for_stop | default(false) }}"
        filters:
          "tag:guid": "{{ guid }}"
          "tag:env_type": "{{ env_type }}"
@@ -142,4 +142,4 @@
    - name: Approve all additional Pending CSRs
      when: r_new_csrs.resources | length > 0
      command: "oc adm certificate approve {{ item.metadata.name }}"
      loop: "{{ r_new_csrs.resources }}"
      loop: "{{ r_new_csrs.resources }}"

 ansible/roles/host-lets-encrypt-certs-certbot/tasks/main.yml

@@ -11,7 +11,7 @@
      stat:
        path: "/home/{{ ansible_user }}/.aws/credentials"
      register: aws_credentials_result
      

    - name: Fail if AWS Credentials are not on the host
      fail:
        msg: AWS Credentials are required when requesting certificates for a wildcard domain
@@ -21,7 +21,7 @@
  when: _certbot_dns_provider is match('rfc2136')
  block:
    - name: Verify credential are present on host
      when: _certbot_dns_provider is match('rfc2136') 
      when: _certbot_dns_provider is match('rfc2136')
      stat:
        path: /home/{{ _certbot_user }}/.rfc2136.ini
      register: ddns_credentials_result
@@ -80,6 +80,18 @@
    delegate_to: localhost
    register: cache_archive_file

  - name: Ensure Certbot Directories are present
    file:
      name: "{{ item }}"
      state: directory
      owner: "{{ _certbot_remote_dir_owner }}"
      mode: 0775
    loop:
    - "{{ _certbot_dir }}"
    - "{{ _certbot_dir }}/config"
    - "{{ _certbot_dir }}/work"
    - "{{ _certbot_dir }}/logs"

  - name: Restore entire certificate archive
    when:
    - _certbot_use_cache|bool
@@ -95,20 +107,6 @@
    - name: Set _certbot_setup_complete=true
      set_fact:
        _certbot_setup_complete: true

  - name: Ensure Certbot Directories are present
    file:
      name: "{{ item }}"
      state: directory
      owner: "{{ _certbot_remote_dir_owner }}"
      mode: 0775
    loop:
    - "{{ _certbot_dir }}"
    - "{{ _certbot_dir }}/config"
    - "{{ _certbot_dir }}/work"
    - "{{ _certbot_dir }}/logs"
    - "{{ _certbot_dir }}/renewal-hooks"
    - "{{ _certbot_dir }}/renewal-hooks/deploy"

  - name: Request Certificates from Let's Encrypt (force or no cache)
    when:

 ansible/roles/idm-server/tasks/prep.yml

@@ -1,14 +1,23 @@
---

- name: Install required packages
  package:
    name: "{{ idm_rpms }}"
    state: installed
  # FIXME:
  # Using the 'package' module fails when installing
  # Unable to find yum & rpm python package on RHEL 7.5
  #
  # Error:
  # The Python 32 bindings for rpm are needed for this module. If you require
  # Python 3 support use the `dnf` Ansible module instead.. The Python 2 yum
  # module is needed for this module. If you require Python 3 support use the
  # `dnf` Ansible module instead.
  # package
  #
  # To fix that error, we can install the bastion using a RHEL 8 image
  command:
    yum -y install {{ idm_rpms | join(" ") }}

- name: Upgrade NSS package
  package:
    name: nss
    state: latest
  command:
    yum -y update nss

# Cannot use a handler here
- name: Ensure firewalld is running
@@ -17,12 +26,12 @@
    state: started
    enabled: yes

# The 'firewalld' module is not compatible with Python 3 on RHEL 7
# This has to do with missing python 3 bindings for firewalld
- name: Open Firewall for IdM use
  firewalld:
    service: "{{ item }}"
    permanent: yes
    state: enabled
    immediate: yes
  shell: |
    firewall-cmd --permanent --zone=public --add-service={{ item }}
    firewall-cmd --reload
  with_items:
  - ntp
  - http

 ansible/roles/mysql/tasks/main.yml

@@ -1,11 +1,8 @@
---
- block:
    # Python 3 bindings for Yum are not present on RHEL 7.X images
  - name: Install MySQL packages
    yum:
      state: present
      name:
        - mariadb-server
        - firewalld
    command: yum -y install mariadb-server firewalld

  - name: Ensure firewalld is running
    service:
@@ -13,14 +10,11 @@
      state: started
      enabled: yes

    # Python 3 bindings for firewalld are not present on RHEL 7.X images
  - name: Open Firewall for MySQL use
    firewalld:
      service: "{{ item }}"
      permanent: yes
      state: enabled
      immediate: yes
    with_items:
    - mysql
    shell: |
        firewall-cmd --permanent --zone=public --add-service=mysql
        firewall-cmd --reload

  - name: Ensure MySQL is running at boot
    service:

 ansible/roles/ocp4-workload-idm/tasks/remove_workload.yml

@@ -1,5 +1,13 @@
---
# Implement your Workload removal tasks here
- name: Install AWS python prerequisites
  become: True
  pip:
    state: present
    name:
    - boto
    - botocore
    - boto3

# Find IP of bastion
- name: Gather VPC facts

 ansible/roles/ocp4-workload-idm/tasks/workload.yml

@@ -25,7 +25,7 @@
  - _certbot_cache_archive_file: "{{ output_dir|d('/tmp') }}/{{ guid }}-idm-certs.tar.gz"
  - _certbot_renew_automatically: True
  - _certbot_use_cache: True
  - _certbot_force_issue: False
  - _certbot_force_issue: True
  - _certbot_production: True
  - _certbot_cron_job_name: LETS_ENCRYPT_RENEW_IDM

			@@ -145,6 +145,9 @@
			run_once: true
			become: false
			tasks:
			- name: Set Ansible Python interpreter to k8s virtualenv
			set_fact:
			ansible_python_interpreter: /opt/virtualenvs/k8s/bin/python
			- name: Remove ocp workloads
			when:
			- remove_workloads \| d("") \| length > 0
			@@ -348,10 +351,11 @@
			aws route53 list-hosted-zones-by-name
			--dns-name {{ aws_public_zone }}
			--max-items 4
			--output json
			register: awsroute53zone
			changed_when: false
			retries: 5
			delay: "{{ 60\|random(start=3, step=1) }}"
			delay: "{{ 60\|random(start=10, step=1) }}"
			until: awsroute53zone is succeeded

			- name: delete zones

			@@ -2,6 +2,9 @@
			ansible==2.8.8
			asn1crypto==1.3.0
			bcrypt==3.1.7
			botocore==1.15.15
			boto3==1.12.15
			boto==2.49.0
			cachetools==4.0.0
			certifi==2019.11.28
			cffi==1.13.2

			@@ -64,7 +64,7 @@
			when: ACTION == 'stop'
			ec2_instance:
			state: stopped
			wait: {{ aws_instance_wait_for_stop }}
			wait: "{{ aws_instance_wait_for_stop \| default(false) }}"
			filters:
			"tag:guid": "{{ guid }}"
			"tag:env_type": "{{ env_type }}"
			@@ -142,4 +142,4 @@
			- name: Approve all additional Pending CSRs
			when: r_new_csrs.resources \| length > 0
			command: "oc adm certificate approve {{ item.metadata.name }}"
			loop: "{{ r_new_csrs.resources }}"
			loop: "{{ r_new_csrs.resources }}"

			@@ -11,7 +11,7 @@
			stat:
			path: "/home/{{ ansible_user }}/.aws/credentials"
			register: aws_credentials_result


			- name: Fail if AWS Credentials are not on the host
			fail:
			msg: AWS Credentials are required when requesting certificates for a wildcard domain
			@@ -21,7 +21,7 @@
			when: _certbot_dns_provider is match('rfc2136')
			block:
			- name: Verify credential are present on host
			when: _certbot_dns_provider is match('rfc2136')
			when: _certbot_dns_provider is match('rfc2136')
			stat:
			path: /home/{{ _certbot_user }}/.rfc2136.ini
			register: ddns_credentials_result
			@@ -80,6 +80,18 @@
			delegate_to: localhost
			register: cache_archive_file

			- name: Ensure Certbot Directories are present
			file:
			name: "{{ item }}"
			state: directory
			owner: "{{ _certbot_remote_dir_owner }}"
			mode: 0775
			loop:
			- "{{ _certbot_dir }}"
			- "{{ _certbot_dir }}/config"
			- "{{ _certbot_dir }}/work"
			- "{{ _certbot_dir }}/logs"

			- name: Restore entire certificate archive
			when:
			- _certbot_use_cache\|bool
			@@ -95,20 +107,6 @@
			- name: Set _certbot_setup_complete=true
			set_fact:
			_certbot_setup_complete: true

			- name: Ensure Certbot Directories are present
			file:
			name: "{{ item }}"
			state: directory
			owner: "{{ _certbot_remote_dir_owner }}"
			mode: 0775
			loop:
			- "{{ _certbot_dir }}"
			- "{{ _certbot_dir }}/config"
			- "{{ _certbot_dir }}/work"
			- "{{ _certbot_dir }}/logs"
			- "{{ _certbot_dir }}/renewal-hooks"
			- "{{ _certbot_dir }}/renewal-hooks/deploy"

			- name: Request Certificates from Let's Encrypt (force or no cache)
			when:

			@@ -1,14 +1,23 @@
			---

			- name: Install required packages
			package:
			name: "{{ idm_rpms }}"
			state: installed
			# FIXME:
			# Using the 'package' module fails when installing
			# Unable to find yum & rpm python package on RHEL 7.5
			#
			# Error:
			# The Python 32 bindings for rpm are needed for this module. If you require
			# Python 3 support use the `dnf` Ansible module instead.. The Python 2 yum
			# module is needed for this module. If you require Python 3 support use the
			# `dnf` Ansible module instead.
			# package
			#
			# To fix that error, we can install the bastion using a RHEL 8 image
			command:
			yum -y install {{ idm_rpms \| join(" ") }}

			- name: Upgrade NSS package
			package:
			name: nss
			state: latest
			command:
			yum -y update nss

			# Cannot use a handler here
			- name: Ensure firewalld is running
			@@ -17,12 +26,12 @@
			state: started
			enabled: yes

			# The 'firewalld' module is not compatible with Python 3 on RHEL 7
			# This has to do with missing python 3 bindings for firewalld
			- name: Open Firewall for IdM use
			firewalld:
			service: "{{ item }}"
			permanent: yes
			state: enabled
			immediate: yes
			shell: \|
			firewall-cmd --permanent --zone=public --add-service={{ item }}
			firewall-cmd --reload
			with_items:
			- ntp
			- http

			@@ -1,11 +1,8 @@
			---
			- block:
			# Python 3 bindings for Yum are not present on RHEL 7.X images
			- name: Install MySQL packages
			yum:
			state: present
			name:
			- mariadb-server
			- firewalld
			command: yum -y install mariadb-server firewalld

			- name: Ensure firewalld is running
			service:
			@@ -13,14 +10,11 @@
			state: started
			enabled: yes

			# Python 3 bindings for firewalld are not present on RHEL 7.X images
			- name: Open Firewall for MySQL use
			firewalld:
			service: "{{ item }}"
			permanent: yes
			state: enabled
			immediate: yes
			with_items:
			- mysql
			shell: \|
			firewall-cmd --permanent --zone=public --add-service=mysql
			firewall-cmd --reload

			- name: Ensure MySQL is running at boot
			service:

			@@ -1,5 +1,13 @@
			---
			# Implement your Workload removal tasks here
			- name: Install AWS python prerequisites
			become: True
			pip:
			state: present
			name:
			- boto
			- botocore
			- boto3

			# Find IP of bastion
			- name: Gather VPC facts

			@@ -25,7 +25,7 @@
			- _certbot_cache_archive_file: "{{ output_dir\|d('/tmp') }}/{{ guid }}-idm-certs.tar.gz"
			- _certbot_renew_automatically: True
			- _certbot_use_cache: True
			- _certbot_force_issue: False
			- _certbot_force_issue: True
			- _certbot_production: True
			- _certbot_cron_job_name: LETS_ENCRYPT_RENEW_IDM