From 6c25b430d6555a75cf639be91233cd536318d88d Mon Sep 17 00:00:00 2001
From: Wolfgang Kulhanek <wkulhanek@users.noreply.github.com>
Date: Thu, 12 Mar 2020 20:15:24 +0100
Subject: [PATCH] [WIP] New way of doing role inputs (#1309)
---
ansible/roles/ocp4-workload-authentication/tasks/workload.yml | 125 ++++---
ansible/roles/ocp4-workload-machinesets/readme.adoc | 111 ++++++
.gitignore | 3
ansible/roles/ocp4-workload-machinesets/meta/main.yml | 16 +
ansible/roles/ocp4_machineset_config/templates/machineset-aws.j2 | 13
ansible/roles/ocp4-workload-authentication/templates/htpasswd.j2 | 6
ansible/roles/ocp4-workload-authentication/defaults/main.yml | 53 ++-
ansible/roles/ocp4-workload-machinesets/templates/ingress-controller.j2 | 18 +
ansible/roles/ocp4-workload-logging/templates/cluster_logging.j2 | 38 +-
ansible/roles/ocp4-workload-machinesets/tasks/post_workload.yml | 8
ansible/roles/ocp4-workload-machinesets/templates/node-ca-daemonset.j2 | 24 +
ansible/roles/ocp4_machineset_config/meta/main.yml | 4
ansible/roles/ocp4-workload-machinesets/templates/machine-config-daemonset.j2 | 24 +
ansible/roles/ocp4-workload-authentication/templates/oauth-opentlc-ldap.j2 | 4
ansible/roles/ocp4-workload-machinesets/tasks/main.yml | 30 +
ansible/roles/ocp4-workload-logging/meta/main.yml | 15
ansible/roles/ocp4-workload-machinesets/tasks/workload.yml | 73 ++++
ansible/roles/ocp4-workload-authentication/templates/cluster_role_binding.j2 | 4
ansible/roles/ocp4-workload-logging/tasks/workload.yml | 38 +-
ansible/roles/ocp4-workload-machinesets/defaults/main.yml | 88 +++++
ansible/roles/ocp4-workload-authentication/tasks/main.yml | 1
ansible/roles/ocp4-workload-authentication/meta/main.yml | 14
ansible/roles/ocp4_machineset_config/tasks/set-facts.yml | 4
ansible/roles/ocp4_machineset_config/tasks/machineset-openstack.yml | 2
ansible/roles/ocp4_machineset_config/templates/machineset-openstack.j2 | 13
ansible/roles/ocp4-workload-machinesets/tasks/pre_workload.yml | 8
ansible/roles/ocp4-workload-infra-nodes/OWNERS | 4
ansible/roles/ocp4_machineset_config/tasks/machineset-group-aws.yml | 4
ansible/roles/ocp4-workload-machinesets/templates/image-registry.j2 | 14
ansible/roles/ocp4-workload-machinesets/tasks/remove_workload.yml | 82 +++++
ansible/roles/ocp4-workload-logging/defaults/main.yml | 34 +
ansible/roles/ocp4-workload-machinesets/files/cluster-monitoring-config.yml | 78 ++++
32 files changed, 799 insertions(+), 154 deletions(-)
diff --git a/.gitignore b/.gitignore
index 43886ef..bcca342 100644
--- a/.gitignore
+++ b/.gitignore
@@ -26,7 +26,8 @@
.pre-commit-config.yaml
.DS_Store
my_*_vars.yml
-
+user-data.yaml
+user-info.yaml
.vscode/settings.json
__pycache__
*.pyc
diff --git a/ansible/roles/ocp4-workload-authentication/defaults/main.yml b/ansible/roles/ocp4-workload-authentication/defaults/main.yml
index dac4b18..b2eb491 100644
--- a/ansible/roles/ocp4-workload-authentication/defaults/main.yml
+++ b/ansible/roles/ocp4-workload-authentication/defaults/main.yml
@@ -3,30 +3,41 @@
ocp_username: "system:admin"
silent: False
-# ocp4_idm_install can be one of none, htpasswd, ldap
-ocp4_idm_install: none
+ocp4_workload_authentication_defaults:
+ # idm_type: 'none', 'ldap' or 'httpasswd'
+ # admin_user: wkulhane-redhat.com
+ idm_type: htpasswd
-# Set up a user from the Authentication Provider with cluster-admin permissions
-ocp4_idm_admin_user: opentlc-mgr
+ # Base of the users for htpasswd
+ htpasswd_user_base: user
+ htpasswd_user_count: 100
+ # Set a password for all htpasswd users
+ # If no password set a 16 character random password will be generated
+ # htpasswd_user_password: openshift
-# LDAP settings
-ocp4_idm_ldap_url: ldaps://ipa1.opentlc.com:636/cn=users,cn=accounts,dc=opentlc,dc=com?uid
-ocp4_idm_ldap_ca_url: http://ipa.opentlc.com/ipa/config/ca.crt
-ocp4_idm_ldap_bind_dn: "uid=ose-mwl-auth,cn=users,cn=accounts,dc=opentlc,dc=com"
+ # admin_user for LDAP will need to exist in LDAP
+ # admin_user for htpasswd will be created
+ admin_user: admin
+ # Set a password for the admin user (only htpasswd)
+ # If no password set a 16 character random password will be generated
+ # htpasswd_admin_password: openshift_admin
-# htpasswd settings
-# -----------------
-# Base of the users for htpasswd
-ocp4_idm_htpasswd_user_base: user
-ocp4_idm_htpasswd_user_count: 100
+ # LDAP settings
+ ldap_url: ldaps://ipa1.opentlc.com:636/cn=users,cn=accounts,dc=opentlc,dc=com?uid
+ ldap_ca_url: http://ipa.opentlc.com/ipa/config/ca.crt
+ ldap_bind_dn: "uid=ose-mwl-auth,cn=users,cn=accounts,dc=opentlc,dc=com"
-# Set a password for the Admin User
-# If no password set a 16 character random password will be generated
-# ocp4_idm_htpasswd_admin_password:
+ # Remove Kubeadmin user upon successful installation of Authentication
+ remove_kubeadmin: true
-# Set a password for all htpasswd users
-# If no password set a 16 character random password will be generated
-# ocp4_idm_htpasswd_user_password:
+# Override the defaults by setting the overrides in
+# ocp4_workload_logging_input: {}
+#
+# For example to set up LDAP:
+# ocp4_workload_authentication_input:
+# idm_type: ldap
+# admin_user: wkulhane-redhat.com
-# Remove Kubeadmin user upon successful installation of Authentication
-ocp4_idm_remove_kubeadmin: true
+# Secret Variables should come from secrets file
+# ocp4_workload_authentication_secret:
+# ldap_bind_password: <should come from secrets>
diff --git a/ansible/roles/ocp4-workload-authentication/meta/main.yml b/ansible/roles/ocp4-workload-authentication/meta/main.yml
new file mode 100644
index 0000000..d3db0bd
--- /dev/null
+++ b/ansible/roles/ocp4-workload-authentication/meta/main.yml
@@ -0,0 +1,14 @@
+---
+galaxy_info:
+ role_name: ocp4-workload-authentication
+ author: Wolfgang Kulhanek
+ description: |
+ Set up Authentication for OpenShift 4. Either ldap, htpasswd or none can be set up.
+ ldap will set up OpenTLC LDAP authentication.
+ license: MIT
+ min_ansible_version: 2.8
+ platforms: []
+ galaxy_tags:
+ - ocp
+ - openshift
+dependencies: []
diff --git a/ansible/roles/ocp4-workload-authentication/tasks/main.yml b/ansible/roles/ocp4-workload-authentication/tasks/main.yml
index 5ce63f1..03a4801 100644
--- a/ansible/roles/ocp4-workload-authentication/tasks/main.yml
+++ b/ansible/roles/ocp4-workload-authentication/tasks/main.yml
@@ -1,5 +1,4 @@
---
-
# Do not modify this file
- name: Running Pre Workload Tasks
diff --git a/ansible/roles/ocp4-workload-authentication/tasks/workload.yml b/ansible/roles/ocp4-workload-authentication/tasks/workload.yml
index 1065ea9..6ef4ea3 100644
--- a/ansible/roles/ocp4-workload-authentication/tasks/workload.yml
+++ b/ansible/roles/ocp4-workload-authentication/tasks/workload.yml
@@ -1,50 +1,68 @@
---
-# Implement your Workload deployment tasks here
+- name: Set up ocp4_workload_authentication combined dictionary
+ set_fact:
+ ocp4_workload_authentication: >-
+ {{ ocp4_workload_authentication_defaults
+ | combine(ocp4_workload_authentication_input | default( {} ),
+ ocp4_workload_authentication_secret | default( {} ), recursive=true)
+ }}
+- name: Print combined role variables
+ debug:
+ var: ocp4_workload_authentication
+ verbosity: 2
-- name: Check that ocp4_idm_install is defined
- when:
- - ocp4_idm_install is not defined
- fail:
- msg: "ocp4_idm_install is not defined"
+- name: Check that ocp4_workload_authentication.idm_type is defined and valid
+ assert:
+ that:
+ - ocp4_workload_authentication.idm_type is defined
+ - ocp4_workload_authentication.idm_type == "none" or ocp4_workload_authentication.idm_type == "htpasswd" or ocp4_workload_authentication.idm_type == "ldap"
+ fail_msg: "ocp4_workload_authentication.idm_type is not defined or not in ('none', 'htpasswd', 'ldap')."
- name: Setup HTPasswd Authentication
- when: ocp4_idm_install == "htpasswd"
+ when: ocp4_workload_authentication.idm_type == "htpasswd"
block:
- # Generate Passwords if no passwords specified
- name: Generate cluster admin password
- when: ocp4_idm_htpasswd_admin_password | d('') | length == 0
+ when: ocp4_workload_authentication.htpasswd_admin_password | d('') | length == 0
set_fact:
- ocp4_idm_htpasswd_admin_password: "{{ lookup('password', '/dev/null length=16 chars=ascii_letters,digits') }}"
+ ocp4_workload_authentication_admin_password: "{{ lookup('password', '/dev/null length=16 chars=ascii_letters,digits') }}"
+
+ - name: Use provided admin password
+ when: ocp4_workload_authentication.htpasswd_admin_password | d('') | length > 0
+ set_fact:
+ ocp4_workload_authentication_admin_password: "{{ ocp4_workload_authentication.htpasswd_admin_password }}"
+
+ - name: Generate htpasswd hash for admin user
+ shell: >-
+ htpasswd -nb "admin" "{{ ocp4_workload_authentication_admin_password }}"|cut -d: -f2
+ register: r_htpasswd_line
+
+ - name: Set htpasswd admin password hash
+ set_fact:
+ ocp4_workload_authentication_admin_password_hash: "{{ r_htpasswd_line.stdout }}"
+ when:
+ - r_htpasswd_line is succeeded
- name: Generate user passwords
- when: ocp4_idm_htpasswd_user_password | d('') | length == 0
+ when: ocp4_workload_authentication.htpasswd_user_password | d('') | length == 0
set_fact:
- ocp4_idm_htpasswd_user_password: "{{ lookup('password', '/dev/null length=16 chars=ascii_letters,digits') }}"
+ ocp4_workload_authentication_user_password: "{{ lookup('password', '/dev/null length=16 chars=ascii_letters,digits') }}"
- # Generate password hashes
+ - name: Use provided user passwords
+ when: ocp4_workload_authentication.htpasswd_user_password | d('') | length > 0
+ set_fact:
+ ocp4_workload_authentication_user_password: "{{ ocp4_workload_authentication.htpasswd_user_password }}"
+
- name: Generate htpasswd hash for user passwords
shell: >-
- htpasswd -nb "userN" "{{ ocp4_idm_htpasswd_user_password }}"|cut -d: -f2
- register: htpasswd_line
+ htpasswd -nb "userN" "{{ ocp4_workload_authentication_user_password }}"|cut -d: -f2
+ register: r_htpasswd_line
- - name: Set fact ocp4_idm_htpasswd_user_password_hash
+ - name: Set htpasswd user password hash
set_fact:
- ocp4_idm_htpasswd_user_password_hash: "{{ htpasswd_line.stdout }}"
+ ocp4_workload_authentication_user_password_hash: "{{ r_htpasswd_line.stdout }}"
when:
- - htpasswd_line is succeeded
+ - r_htpasswd_line is succeeded
- - name: Generate htpasswd hash for ocp4_idm_admin_user
- shell: >-
- htpasswd -nb "admin" "{{ ocp4_idm_htpasswd_admin_password }}"|cut -d: -f2
- register: htpasswd_line
-
- - name: Set fact ocp4_idm_htpasswd_admin_password_hash
- set_fact:
- ocp4_idm_htpasswd_admin_password_hash: "{{ htpasswd_line.stdout }}"
- when:
- - htpasswd_line is succeeded
-
- # Generate htpasswd file
- name: Generate htpasswd file
template:
src: "htpasswd.j2"
@@ -66,9 +84,6 @@
- name: Update OAuth Configuration
k8s:
state: present
- merge_type:
- - strategic-merge
- - merge
definition: "{{ lookup('file', item ) | from_yaml }}"
loop:
- ./files/oauth-htpasswd.yaml
@@ -85,30 +100,30 @@
msg: "{{ item }}"
loop:
- "user.info: HTPasswd Authentication is enabled on this cluster."
- - "user.info: {{ ocp4_idm_htpasswd_user_base }}1 .. {{ ocp4_idm_htpasswd_user_base }}{{ ocp4_idm_htpasswd_user_count }} are created."
- - "user.info: User `{{ ocp4_idm_admin_user }}` is cluster admin with password `{{ ocp4_idm_htpasswd_admin_password }}`."
+ - "user.info: {{ ocp4_workload_authentication.htpasswd_user_base }}1 .. {{ ocp4_workload_authentication.htpasswd_user_base }}{{ ocp4_workload_authentication.htpasswd_user_count }} are created with password `{{ ocp4_workload_authentication_user_password }}`"
+ - "user.info: User `{{ ocp4_workload_authentication.admin_user }}` with password `{{ ocp4_workload_authentication_admin_password }}` is cluster admin."
- name: Print User Information for each User
agnosticd_user_info:
- user: "{{ ocp4_idm_htpasswd_user_base }}{{ n }}"
+ user: "{{ ocp4_workload_authentication.htpasswd_user_base }}{{ n }}"
data:
- password: "{{ ocp4_idm_htpasswd_user_password }}"
- login_command: "oc login -u {{ ocp4_idm_htpasswd_user_base }}{{ n }} -p {{ ocp4_idm_htpasswd_user_password }} {{ r_cluster.resources[0].status.apiServerURL }}"
- loop: "{{ range(1, 1 + ocp4_idm_htpasswd_user_count | int) | list }}"
+ password: "{{ ocp4_workload_authentication_user_password }}"
+ login_command: "oc login -u {{ ocp4_workload_authentication.htpasswd_user_base }}{{ n }} -p {{ ocp4_workload_authentication_user_password }} {{ r_cluster.resources[0].status.apiServerURL }}"
+ loop: "{{ range(1, 1 + ocp4_workload_authentication.htpasswd_user_count | int) | list }}"
loop_control:
loop_var: n
- name: Setup OpenTLC LDAP Authentication
- when: ocp4_idm_install == "ldap"
+ when: ocp4_workload_authentication.idm_type == "ldap"
block:
- name: Check for LDAP Bind Password
+ when: ocp4_workload_authentication_secret.ldap_bind_password is not defined
fail:
- msg: LDAP Authentication is configured but LDAP BindPassword (ocp4_idm_ldap_bindPassword) is not defined.
- when: ocp4_idm_ldap_bindPassword is not defined
+ msg: LDAP Authentication is configured but LDAP BindPassword (ocp4_workload_authentication_secret.ldap_bind_password) is not defined.
- name: Get IPA CA Cert
get_url:
- url: "{{ ocp4_idm_ldap_ca_url }}"
+ url: "{{ ocp4_workload_authentication.ldap_ca_url }}"
dest: "/home/{{ ansible_user }}/ipa-ca.crt"
mode: 0660
@@ -132,14 +147,11 @@
namespace: openshift-config
- name: Create LDAP Bind Password Secret
- shell: "oc create secret generic opentlc-ldap-secret --from-literal=bindPassword=\"{{ ocp4_idm_ldap_bindPassword }}\" -n openshift-config"
+ shell: "oc create secret generic opentlc-ldap-secret --from-literal=bindPassword=\"{{ ocp4_workload_authentication_secret.ldap_bind_password }}\" -n openshift-config"
- name: Update OAuth Configuration
k8s:
state: present
- merge_type:
- - strategic-merge
- - merge
definition: "{{ lookup('template', item ) | from_yaml }}"
loop:
- ./templates/oauth-opentlc-ldap.j2
@@ -150,24 +162,21 @@
loop:
- "user.info: OpenTLC LDAP Authentication is enabled on this cluster."
- "user.info: Use your OpenTLC user and Password to log into this cluster."
- - "user.info: User `{{ ocp4_idm_admin_user }}` is cluster admin."
+ - "user.info: User `{{ ocp4_workload_authentication.admin_user }}` is cluster admin."
- name: Set up Cluster Admin User
when:
- - ocp4_idm_install != "none"
- - ocp4_idm_admin_user is defined
+ - ocp4_workload_authentication.idm_type != "none"
+ - ocp4_workload_authentication.admin_user is defined
k8s:
state: present
- merge_type:
- - strategic-merge
- - merge
definition: "{{ lookup('template', './templates/cluster_role_binding.j2') | from_yaml }}"
- name: Remove kubeadmin User
when:
- - ocp4_idm_admin_user is defined
- - ocp4_idm_install != "none"
- - ocp4_idm_remove_kubeadmin | bool
+ - ocp4_workload_authentication.idm_type != "none"
+ - ocp4_workload_authentication.admin_user is defined
+ - ocp4_workload_authentication.remove_kubeadmin | bool
block:
- name: Remove kubeadmin user secret
k8s:
@@ -176,10 +185,6 @@
kind: Secret
namespace: kube-system
name: kubeadmin
- - name: Remove kubeadmin file
- file:
- state: absent
- path: "/home/{{ ansible_user }}/{{ cluster_name }}/auth/kubeadmin-password"
# Leave this as the last task in the playbook.
- name: workload tasks complete
diff --git a/ansible/roles/ocp4-workload-authentication/templates/cluster_role_binding.j2 b/ansible/roles/ocp4-workload-authentication/templates/cluster_role_binding.j2
index 1373558..2dc31ea 100644
--- a/ansible/roles/ocp4-workload-authentication/templates/cluster_role_binding.j2
+++ b/ansible/roles/ocp4-workload-authentication/templates/cluster_role_binding.j2
@@ -1,7 +1,7 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
- name: "cluster-admin-{{ ocp4_idm_admin_user }}"
+ name: "cluster-admin-{{ ocp4_workload_authentication.admin_user }}"
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
@@ -9,4 +9,4 @@
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
- name: "{{ ocp4_idm_admin_user }}"
\ No newline at end of file
+ name: "{{ ocp4_workload_authentication.admin_user }}"
\ No newline at end of file
diff --git a/ansible/roles/ocp4-workload-authentication/templates/htpasswd.j2 b/ansible/roles/ocp4-workload-authentication/templates/htpasswd.j2
index 3181cf7..0888217 100644
--- a/ansible/roles/ocp4-workload-authentication/templates/htpasswd.j2
+++ b/ansible/roles/ocp4-workload-authentication/templates/htpasswd.j2
@@ -1,6 +1,6 @@
andrew:$apr1$dZPb2ECf$ercevOFO5znrynUfUj4tb/
karla:$apr1$FQx2mX4c$eJc21GuVZWNg1ULF8I2G31
-{{ ocp4_idm_admin_user }}:{{ ocp4_idm_htpasswd_admin_password_hash | d('$apr1$glFN48wz$dR9w94PGiQL8qZXcXGd0L0') }}
-{% for i in range(1, 1 + ocp4_idm_htpasswd_user_count | int) %}
-{{ ocp4_idm_htpasswd_user_base }}{{ i }}:{{ ocp4_idm_htpasswd_user_password_hash | d('$apr1$FmrTsuSa$yducoDpvYq0KEV0ErmwpA1') }}
+{{ ocp4_workload_authentication.admin_user }}:{{ ocp4_workload_authentication_admin_password_hash | d('$apr1$glFN48wz$dR9w94PGiQL8qZXcXGd0L0') }}
+{% for i in range(1, 1 + ocp4_workload_authentication.htpasswd_user_count | int) %}
+{{ ocp4_workload_authentication.htpasswd_user_base }}{{ i }}:{{ ocp4_workload_authentication_user_password_hash | d('$apr1$FmrTsuSa$yducoDpvYq0KEV0ErmwpA1') }}
{% endfor %}
diff --git a/ansible/roles/ocp4-workload-authentication/templates/oauth-opentlc-ldap.j2 b/ansible/roles/ocp4-workload-authentication/templates/oauth-opentlc-ldap.j2
index 4e8c32f..701bc0e 100644
--- a/ansible/roles/ocp4-workload-authentication/templates/oauth-opentlc-ldap.j2
+++ b/ansible/roles/ocp4-workload-authentication/templates/oauth-opentlc-ldap.j2
@@ -19,10 +19,10 @@
- cn
preferredUsername:
- uid
- bindDN: "{{ ocp4_idm_ldap_bind_dn }}"
+ bindDN: "{{ ocp4_workload_authentication.ldap_bind_dn }}"
bindPassword:
name: opentlc-ldap-secret
insecure: false
ca:
name: opentlc-ldap-ca-cert
- url: "{{ ocp4_idm_ldap_url }}"
\ No newline at end of file
+ url: "{{ ocp4_workload_authentication.ldap_url }}"
\ No newline at end of file
diff --git a/ansible/roles/ocp4-workload-infra-nodes/OWNERS b/ansible/roles/ocp4-workload-infra-nodes/OWNERS
new file mode 100644
index 0000000..d627db6
--- /dev/null
+++ b/ansible/roles/ocp4-workload-infra-nodes/OWNERS
@@ -0,0 +1,4 @@
+Red Hat GPTE
+
+Author(s):
+- Wolfgang Kulhanek (wkulhane@redhat.com)
\ No newline at end of file
diff --git a/ansible/roles/ocp4-workload-logging/defaults/main.yml b/ansible/roles/ocp4-workload-logging/defaults/main.yml
index 68a958b..57e082f 100644
--- a/ansible/roles/ocp4-workload-logging/defaults/main.yml
+++ b/ansible/roles/ocp4-workload-logging/defaults/main.yml
@@ -3,24 +3,34 @@
ocp_username: opentlc-mgr
silent: False
-_logging_elasticsearch_replicas: 1
-_logging_elasticsearch_memory_request: "8Gi"
-_logging_elasticsearch_storage_request: "50Gi"
+# Set up Cluster Logging on regular worker nodes
+ocp4_workload_logging_defaults:
+ node_role: ""
+ elasticsearch_replicas: 1
+ elasticsearch_memory_request: "8Gi"
+ elasticsearch_storage_request: "50Gi"
-# Set the following to specify dedicated nodes for the logging
-# The nodes need to be exist (e.g. via the role ocp4-workload-infra-nodes)
+# Override the defaults by setting the overrides in
+# ocp4_workload_logging_input: {}
#
-# If set then the following needs to be true:
+# Example: Set up Cluster Logging on dedicated nodes
+# In this example `elasticsearch` nodes.
+# The nodes need to be exist (e.g. via the role ocp4-workload-machinesets)
+#
+# The following needs to be true
# Node has a label:
-# node-role.kubernetes.io/{{ _logging_use_dedicated_nodes }}: ""
+# node-role.kubernetes.io/{{ ocp4_workload_logging.use_node_role }}: ""
# e.g. node-role.kubernetes.io/infra: ""
# Node has taints:
-# - key: "{{ _logging_use_dedicated_nodes }}"
+# - key: "{{ ocp4_workload_logging.use_node_role }}"
# value: reserved
# effect: NoSchedule
-# - key: "{{ _logging_use_dedicated_nodes }}"
+# - key: "{{ocp4_workload_logging.use_node_role }}"
# value: reserved
# effect: NoExecute
-# Example:
-# _logging_use_dedicated_nodes: "elasticsearch"
-_logging_use_dedicated_nodes: ""
+
+# ocp4_workload_logging_inputs:
+# node_role: "elasticsearch"
+# elasticsearch_replicas: 1
+# elasticsearch_memory_request: "8Gi"
+# elasticsearch_storage_request: "50Gi"
diff --git a/ansible/roles/ocp4-workload-logging/meta/main.yml b/ansible/roles/ocp4-workload-logging/meta/main.yml
new file mode 100644
index 0000000..d614402
--- /dev/null
+++ b/ansible/roles/ocp4-workload-logging/meta/main.yml
@@ -0,0 +1,15 @@
+---
+galaxy_info:
+ role_name: ocp4-workload-logging
+ author: Wolfgang Kulhanek
+ description: |
+ Set up Cluster Logging stack for OpenShift 4.
+ Cluster Logging can be installed on worker nodes or dedicated nodes. Dedicated
+ Nodes can be created using the ocp4-workload-machinesets role first.
+ license: MIT
+ min_ansible_version: 2.8
+ platforms: []
+ galaxy_tags:
+ - ocp
+ - openshift
+dependencies: []
diff --git a/ansible/roles/ocp4-workload-logging/tasks/workload.yml b/ansible/roles/ocp4-workload-logging/tasks/workload.yml
index ac03c3f..edad863 100644
--- a/ansible/roles/ocp4-workload-logging/tasks/workload.yml
+++ b/ansible/roles/ocp4-workload-logging/tasks/workload.yml
@@ -1,4 +1,16 @@
---
+- name: Set up ocp4_workload_logging combined dictionary
+ set_fact:
+ ocp4_workload_logging: >-
+ {{ ocp4_workload_logging_defaults
+ | combine(ocp4_workload_logging_input | default( {} ),
+ ocp4_workload_logging_secret | default( {}), recursive=true )
+ }}
+- name: Print combined role variables
+ debug:
+ var: ocp4_workload_logging
+ verbosity: 2
+
- name: Check if Elasticsearch Operator is already installed
k8s_facts:
api_version: v1
@@ -20,8 +32,6 @@
- name: Set Elasticsearch channel
set_fact:
logging_elasticsearch_channel: "{{ r_eo_channel.resources[0].status.defaultChannel }}"
- # shell: "oc get packagemanifest elasticsearch-operator -n openshift-marketplace -o jsonpath='{.status.defaultChannel}'"
- # register: r_eo_version
- name: Print Elasticsearch channel to be installed
debug:
@@ -58,20 +68,16 @@
- r_eo_deployment.resources[0].status.availableReplicas is defined
- r_eo_deployment.resources[0].status.availableReplicas | int == r_eo_deployment.resources[0].spec.replicas | int
- - name: Get current stable channel for Cluster Logging
- k8s_facts:
- api_version: packages.operators.coreos.com/v1
- kind: PackageManifest
- name: cluster-logging
- namespace: openshift-marketplace
- register: r_logging_channel
- - name: Set Cluster Logging channel
- set_fact:
- logging_channel: "{{ r_logging_channel.resources[0].status.defaultChannel }}"
-
-# - name: Get current stable version of Cluster Logging
-# shell: "oc get packagemanifest cluster-logging -n openshift-marketplace -o jsonpath='{.status.defaultChannel}'"
-# register: r_logging_version
+- name: Get current stable channel for Cluster Logging
+ k8s_facts:
+ api_version: packages.operators.coreos.com/v1
+ kind: PackageManifest
+ name: cluster-logging
+ namespace: openshift-marketplace
+ register: r_logging_channel
+- name: Set Cluster Logging channel
+ set_fact:
+ logging_channel: "{{ r_logging_channel.resources[0].status.defaultChannel }}"
- name: Print Cluster Logging channel to be installed
debug:
diff --git a/ansible/roles/ocp4-workload-logging/templates/cluster_logging.j2 b/ansible/roles/ocp4-workload-logging/templates/cluster_logging.j2
index ef3ff6a..99ea8c0 100644
--- a/ansible/roles/ocp4-workload-logging/templates/cluster_logging.j2
+++ b/ansible/roles/ocp4-workload-logging/templates/cluster_logging.j2
@@ -8,20 +8,20 @@
logStore:
type: "elasticsearch"
elasticsearch:
- nodeCount: {{ _logging_elasticsearch_replicas|int }}
-{% if _logging_elasticsearch_replicas|int > 1 %}
+ nodeCount: {{ ocp4_workload_logging.elasticsearch_replicas|int }}
+{% if ocp4_workload_logging.elasticsearch_replicas|int > 1 %}
redundancyPolicy: "SingleRedundancy"
{% else %}
redundancyPolicy: "ZeroRedundancy"
{% endif %}
nodeSelector:
-{% if _logging_use_dedicated_nodes | d("") | length > 0 %}
- "node-role.kubernetes.io/{{ _logging_use_dedicated_nodes }}": ""
+{% if ocp4_workload_logging.node_role | d("") | length > 0 %}
+ "node-role.kubernetes.io/{{ ocp4_workload_logging.node_role }}": ""
tolerations:
- - key: "{{ _logging_use_dedicated_nodes }}"
+ - key: "{{ ocp4_workload_logging.node_role }}"
value: reserved
effect: NoSchedule
- - key: "{{ _logging_use_dedicated_nodes }}"
+ - key: "{{ ocp4_workload_logging.node_role }}"
value: reserved
effect: NoExecute
{% else %}
@@ -29,22 +29,28 @@
{% endif %}
resources:
request:
- memory: "{{ _logging_elasticsearch_memory_request }}"
+ memory: "{{ ocp4_workload_logging.elasticsearch_memory_request }}"
storage:
+{% if cloud_provider is match("ec2") %}
storageClassName: "gp2"
- size: "{{ _logging_elasticsearch_storage_request }}"
+{% elif cloud_provider is match("osp") %}
+ storageClassName: "standard"
+{% else %}
+ storageClassName: ""
+{% endif %}
+ size: "{{ ocp4_workload_logging.elasticsearch_storage_request }}"
visualization:
type: "kibana"
kibana:
replicas: 1
nodeSelector:
-{% if _logging_use_dedicated_nodes | d("") | length > 0 %}
- "node-role.kubernetes.io/{{ _logging_use_dedicated_nodes }}": ""
+{% if ocp4_workload_logging.node_role | d("") | length > 0 %}
+ "node-role.kubernetes.io/{{ ocp4_workload_logging.node_role }}": ""
tolerations:
- - key: "{{ _logging_use_dedicated_nodes }}"
+ - key: "{{ ocp4_workload_logging.node_role }}"
value: reserved
effect: NoSchedule
- - key: "{{ _logging_use_dedicated_nodes }}"
+ - key: "{{ocp4_workload_logging.node_role }}"
value: reserved
effect: NoExecute
{% else %}
@@ -55,13 +61,13 @@
curator:
schedule: "30 3 * * *"
nodeSelector:
-{% if _logging_use_dedicated_nodes | d("") | length > 0 %}
- "node-role.kubernetes.io/{{ _logging_use_dedicated_nodes }}": ""
+{% if ocp4_workload_logging.node_role | d("") | length > 0 %}
+ "node-role.kubernetes.io/{{ ocp4_workload_logging.node_role }}": ""
tolerations:
- - key: "{{ _logging_use_dedicated_nodes }}"
+ - key: "{{ ocp4_workload_logging.node_role }}"
value: reserved
effect: NoSchedule
- - key: "{{ _logging_use_dedicated_nodes }}"
+ - key: "{{ ocp4_workload_logging.node_role }}"
value: reserved
effect: NoExecute
{% else %}
diff --git a/ansible/roles/ocp4-workload-machinesets/defaults/main.yml b/ansible/roles/ocp4-workload-machinesets/defaults/main.yml
new file mode 100644
index 0000000..c21856f
--- /dev/null
+++ b/ansible/roles/ocp4-workload-machinesets/defaults/main.yml
@@ -0,0 +1,88 @@
+---
+become_override: False
+ocp_username: opentlc-mgr
+silent: False
+
+# Machineset Groups to be set up
+# Roles must be unique in the cluster
+# e.g. if you need more worker nodes use worker1, worker2, ... or
+# more descriptive names.
+ocp4_workload_machinesets_defaults:
+ machineset_groups:
+ # Infranodes: Must be named "infra" if
+ # desired
+ - name: infra
+ autoscale: false
+ total_replicas: 1
+ total_replicas_min: 1
+ total_replicas_max: 1
+ role: infra
+ taints:
+ - key: infra
+ value: reserved
+ effect: NoSchedule
+ - key: infra
+ value: reserved
+ effect: NoExecute
+ instance_type: "m5.2xlarge"
+# root_volume_size is only available for AWS it is ignored for OpenStack
+# root_volume_size: "150"
+# instance_type for OpenStack
+# instance_type: "4c16g30d"
+
+# Override the defaults by setting the overrides in
+# ocp4_workload_logging_input: {}
+
+# To add Elasticsearch nodes (for Cluster Logging) add the following to
+# the ocp4_workload_machinesets_group:
+#
+# ocp4_workload_machinesets_input:
+# - name: elasticsearch
+# autoscale: false
+# total_replicas: 1
+# total_replicas_min: 1
+# total_replicas_max: 1
+# role: elasticsearch
+# taints:
+# - key: elasticsearch
+# value: reserved
+# effect: NoSchedule
+# - key: elasticsearch
+# value: reserved
+# effect: NoExecute
+# instance_type: "4c16g30d"
+# instance_type: "m5.4xlarge"
+
+# To add another group of worker nodes - with autoscaling enabled add
+# the following:
+#
+# ocp4_workload_machinesets_input:
+# - name: worker-scaled
+# autoscale: true
+# total_replicas: 1
+# total_replicas_min: 1
+# total_replicas_max: 5
+# role: worker-scaled
+# taints: {}
+# instance_type: "4c16g30d"
+
+# To add OpenShift Container Storage Nodes add the
+# following to the ocp4_workloads_machineset_group.
+# Make sure you have enough disk space (and quota):
+#
+# ocp4_workload_machinesets_input:
+# - name: ocs
+# autoscale: false
+# total_replicas: 3
+# total_replicas_min: 3
+# total_replicas_max: 3
+# role: ocs
+# taints:
+# - key: node.ocs.openshift.io/storage
+# value: true
+# effect: NoSchedule
+# node_labels:
+# node-role.kubernetes.io/ocs: ""
+# cluster.ocs.openshift.io/openshift-storage: ""
+# instance_type: "m5.4xlarge"
+# instance_type: "12c32g30d"
diff --git a/ansible/roles/ocp4-workload-machinesets/files/cluster-monitoring-config.yml b/ansible/roles/ocp4-workload-machinesets/files/cluster-monitoring-config.yml
new file mode 100644
index 0000000..f46a209
--- /dev/null
+++ b/ansible/roles/ocp4-workload-machinesets/files/cluster-monitoring-config.yml
@@ -0,0 +1,78 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: cluster-monitoring-config
+ namespace: openshift-monitoring
+data:
+ config.yaml: |
+ alertmanagerMain:
+ nodeSelector:
+ node-role.kubernetes.io/infra: ""
+ tolerations:
+ - key: infra
+ value: reserved
+ effect: NoSchedule
+ - key: infra
+ value: reserved
+ effect: NoExecute
+ prometheusK8s:
+ retention: 48h
+ nodeSelector:
+ node-role.kubernetes.io/infra: ""
+ tolerations:
+ - key: infra
+ value: reserved
+ effect: NoSchedule
+ - key: infra
+ value: reserved
+ effect: NoExecute
+ prometheusOperator:
+ nodeSelector:
+ node-role.kubernetes.io/infra: ""
+ tolerations:
+ - key: infra
+ value: reserved
+ effect: NoSchedule
+ - key: infra
+ value: reserved
+ effect: NoExecute
+ grafana:
+ nodeSelector:
+ node-role.kubernetes.io/infra: ""
+ tolerations:
+ - key: infra
+ value: reserved
+ effect: NoSchedule
+ - key: infra
+ value: reserved
+ effect: NoExecute
+ k8sPrometheusAdapter:
+ nodeSelector:
+ node-role.kubernetes.io/infra: ""
+ tolerations:
+ - key: infra
+ value: reserved
+ effect: NoSchedule
+ - key: infra
+ value: reserved
+ effect: NoExecute
+ kubeStateMetrics:
+ nodeSelector:
+ node-role.kubernetes.io/infra: ""
+ tolerations:
+ - key: infra
+ value: reserved
+ effect: NoSchedule
+ - key: infra
+ value: reserved
+ effect: NoExecute
+ telemeterClient:
+ nodeSelector:
+ node-role.kubernetes.io/infra: ""
+ tolerations:
+ - key: infra
+ value: reserved
+ effect: NoSchedule
+ - key: infra
+ value: reserved
+ effect: NoExecute
diff --git a/ansible/roles/ocp4-workload-machinesets/meta/main.yml b/ansible/roles/ocp4-workload-machinesets/meta/main.yml
new file mode 100644
index 0000000..cf8d98d
--- /dev/null
+++ b/ansible/roles/ocp4-workload-machinesets/meta/main.yml
@@ -0,0 +1,16 @@
+---
+galaxy_info:
+ role_name: ocp4-workload-machinesets
+ author: Wolfgang Kulhanek
+ description: |
+ Set up additional MachineSets for OpenShift. One worker machineset must exist
+ before this role can be called.
+ Currently supports AWS and OpenStack.
+ license: MIT
+ min_ansible_version: 2.8
+ platforms: []
+ galaxy_tags:
+ - ocp
+ - openshift
+dependencies:
+- ocp4_machineset_config
diff --git a/ansible/roles/ocp4-workload-machinesets/readme.adoc b/ansible/roles/ocp4-workload-machinesets/readme.adoc
new file mode 100644
index 0000000..8b63a44
--- /dev/null
+++ b/ansible/roles/ocp4-workload-machinesets/readme.adoc
@@ -0,0 +1,111 @@
+= ocp4-workload-machinesets - Create OpenShift 4 MachineSets
+
+== Role overview
+
+* This role creates additional MachineSets in an OpenShift 4 Cluster. For each MachineSet group it creates a machineset for each availability zone found (if the cloud platform supports availability zones) and then scales the machinesets to the number of replicas desired. Optionally this role also sets up a MachineAutoscaler for the created MachineSet(s). It consists of the following playbooks:
+** Playbook: link:./tasks/pre_workload.yml[pre_workload.yml] - Sets up an environment for the workload deployment.
+*** Debug task will print out: `pre_workload Tasks completed successfully.`
+
+** Playbook: link:./tasks/workload.yml[workload.yml] - Used to create the infra nodes
+*** Debug task will print out: `workload Tasks completed successfully.`
+
+** Playbook: link:./tasks/post_workload.yml[post_workload.yml] - Used to configure the workload after deployment
+*** This role doesn't do anything here
+*** Debug task will print out: `post_workload Tasks completed successfully.`
+
+** Playbook: link:./tasks/remove_workload.yml[remove_workload.yml] - Used to delete the workload
+*** This role removes the infrastructure nodes (DANGER!!!). It will not remove node selectors from infra components. This will have to be done manually.
+*** Debug task will print out: `remove_workload Tasks completed successfully.`
+
+== Review the defaults variable file
+
+* This file link:./defaults/main.yml[./defaults/main.yml] contains all the variables you need to define to control the deployment of your workload.
+* The variable *ocp_username* is mandatory to assign the workload to the correct OpenShift user.
+* A variable *silent=True* can be passed to suppress debug messages.
+* You can modify any of these default values by adding `-e "variable_name=variable_value"` to the command line
+
+=== Deploy a Workload with the `ocp-workload` playbook [Mostly for testing]
+
+----
+TARGET_HOST="bastion.ocp43.openshift.opentlc.com"
+OCP_USERNAME="opentlc-mgr"
+WORKLOAD="ocp4-workload-machinesets"
+GUID=1001
+
+# a TARGET_HOST is specified in the command line, without using an inventory file
+ansible-playbook -i ${TARGET_HOST}, ./configs/ocp-workloads/ocp-workload.yml \
+ -e"ansible_ssh_private_key_file=~/.ssh/keytoyourhost.pem" \
+ -e"ansible_user=ec2-user" \
+ -e"ocp_username=${OCP_USERNAME}" \
+ -e"ocp_workload=${WORKLOAD}" \
+ -e"silent=False" \
+ -e"guid=${GUID}" \
+ -e"ACTION=create"
+----
+
+=== To Delete an environment
+
+----
+TARGET_HOST="bastion.ocp43.openshift.opentlc.com"
+OCP_USERNAME="opentlc-mgr"
+WORKLOAD="ocp4-workload-machinesets"
+GUID=1002
+
+# a TARGET_HOST is specified in the command line, without using an inventory file
+ansible-playbook -i ${TARGET_HOST}, ./configs/ocp-workloads/ocp-workload.yml \
+ -e"ansible_ssh_private_key_file=~/.ssh/keytoyourhost.pem" \
+ -e"ansible_user=ec2-user" \
+ -e"ocp_username=${OCP_USERNAME}" \
+ -e"ocp_workload=${WORKLOAD}" \
+ -e"guid=${GUID}" \
+ -e"ACTION=remove"
+----
+
+== Other related information:
+
+=== Deploy Workload on OpenShift Cluster from an existing playbook:
+
+[source,yaml]
+----
+- name: Deploy a workload role on a master host
+ hosts: all
+ become: true
+ gather_facts: False
+ tags:
+ - step007
+ roles:
+ - { role: "{{ocp_workload}}", when: 'ocp_workload is defined' }
+----
+NOTE: You might want to change `hosts: all` to fit your requirements
+
+
+=== Set up your Ansible inventory file
+
+* You can create an Ansible inventory file to define your connection method to your host (Master/Bastion with `oc` command)
+* You can also use the command line to define the hosts directly if your `ssh` configuration is set to connect to the host correctly
+* You can also use the command line to use localhost or if your cluster is already authenticated and configured in your `oc` configuration
+
+.Example inventory file
+[source, ini]
+----
+[gptehosts:vars]
+ansible_ssh_private_key_file=~/.ssh/keytoyourhost.pem
+ansible_user=ec2-user
+
+[gptehosts:children]
+openshift
+
+[openshift]
+bastion.cluster1.openshift.opentlc.com
+bastion.cluster2.openshift.opentlc.com
+bastion.cluster3.openshift.opentlc.com
+bastion.cluster4.openshift.opentlc.com
+
+[dev]
+bastion.cluster1.openshift.opentlc.com
+bastion.cluster2.openshift.opentlc.com
+
+[prod]
+bastion.cluster3.openshift.opentlc.com
+bastion.cluster4.openshift.opentlc.com
+----
diff --git a/ansible/roles/ocp4-workload-machinesets/tasks/main.yml b/ansible/roles/ocp4-workload-machinesets/tasks/main.yml
new file mode 100644
index 0000000..03a4801
--- /dev/null
+++ b/ansible/roles/ocp4-workload-machinesets/tasks/main.yml
@@ -0,0 +1,30 @@
+---
+# Do not modify this file
+
+- name: Running Pre Workload Tasks
+ include_tasks:
+ file: ./pre_workload.yml
+ apply:
+ become: "{{ become_override | bool }}"
+ when: ACTION == "create" or ACTION == "provision"
+
+- name: Running Workload Tasks
+ include_tasks:
+ file: ./workload.yml
+ apply:
+ become: "{{ become_override | bool }}"
+ when: ACTION == "create" or ACTION == "provision"
+
+- name: Running Post Workload Tasks
+ include_tasks:
+ file: ./post_workload.yml
+ apply:
+ become: "{{ become_override | bool }}"
+ when: ACTION == "create" or ACTION == "provision"
+
+- name: Running Workload removal Tasks
+ include_tasks:
+ file: ./remove_workload.yml
+ apply:
+ become: "{{ become_override | bool }}"
+ when: ACTION == "destroy" or ACTION == "remove"
diff --git a/ansible/roles/ocp4-workload-machinesets/tasks/post_workload.yml b/ansible/roles/ocp4-workload-machinesets/tasks/post_workload.yml
new file mode 100644
index 0000000..d3a8a4b
--- /dev/null
+++ b/ansible/roles/ocp4-workload-machinesets/tasks/post_workload.yml
@@ -0,0 +1,8 @@
+---
+# Implement your Post Workload deployment tasks here
+
+# Leave this as the last task in the playbook.
+- name: post_workload tasks complete
+ debug:
+ msg: "Post-Workload Tasks completed successfully."
+ when: not silent|bool
diff --git a/ansible/roles/ocp4-workload-machinesets/tasks/pre_workload.yml b/ansible/roles/ocp4-workload-machinesets/tasks/pre_workload.yml
new file mode 100644
index 0000000..916417f
--- /dev/null
+++ b/ansible/roles/ocp4-workload-machinesets/tasks/pre_workload.yml
@@ -0,0 +1,8 @@
+---
+# Implement your Pre Workload deployment tasks here
+
+# Leave this as the last task in the playbook.
+- name: pre_workload tasks complete
+ debug:
+ msg: "Pre-Workload tasks completed successfully."
+ when: not silent|bool
diff --git a/ansible/roles/ocp4-workload-machinesets/tasks/remove_workload.yml b/ansible/roles/ocp4-workload-machinesets/tasks/remove_workload.yml
new file mode 100644
index 0000000..b9d0698
--- /dev/null
+++ b/ansible/roles/ocp4-workload-machinesets/tasks/remove_workload.yml
@@ -0,0 +1,82 @@
+# vim: set ft=ansible
+---
+# Implement your Workload removal tasks here
+
+- name: Find Infra machinesets
+ k8s_facts:
+ api_version: machine.openshift.io/v1beta1
+ kind: MachineSet
+ namespace: openshift-machine-api
+ label_selectors:
+ - agnosticd.redhat.com/machineset-group = infra
+ register: r_infra_machinesets
+
+- name: Find Elasticsearch machinesets
+ k8s_facts:
+ api_version: machine.openshift.io/v1beta1
+ kind: MachineSet
+ namespace: openshift-machine-api
+ label_selectors:
+ - agnosticd.redhat.com/machineset-group = elasticsearch
+ register: r_elasticsearch_machinesets
+
+- name: Delete infra machinesets
+ when: r_infra_machinesets.resources | length | int > 0
+ k8s:
+ state: absent
+ definition: "{{ item }}"
+ with_items: "{{ r_infra_machinesets.resources }}"
+
+- name: Delete Elasticsearch machinesets
+ when: r_elasticsearch_machinesets.resources | length | int > 0
+ k8s:
+ state: absent
+ definition: "{{ item }}"
+ with_items: "{{ r_elasticsearch_machinesets.resources }}"
+
+- name: Print Warning
+ debug:
+ msg: "WARNING: Make sure to change the node selectors for Ingress Controllers, Image Registry and Monitoring"
+
+# Seems there is no way to >remove< things via k8s modules. Only add. So node selectors etc need to be removed manually.
+
+# - name: Move Ingress Controllers to Worker Nodes
+# k8s:
+# state: present
+# definition:
+# apiVersion: operator.openshift.io/v1
+# kind: IngressController
+# metadata:
+# name: default
+# namespace: openshift-ingress-operator
+# spec:
+# nodePlacement:
+# nodeSelector:
+# matchLabels:
+# node-role.kubernetes.io/worker: ""
+
+# - name: Move Image Registry to Worker Nodes
+# k8s:
+# state: present
+# definition:
+# apiVersion: imageregistry.operator.openshift.io/v1
+# kind: Config
+# metadata:
+# name: cluster
+# spec:
+# nodeSelector:
+# "node-role.kubernetes.io/worker": ""
+
+# - name: Remove Cluster Monitoring Config Map
+# k8s:
+# state: absent
+# api_version: v1
+# kind: ConfigMap
+# name: cluster-monitoring-config
+# namespace: openshift-monitoring
+
+# Leave this as the last task in the playbook.
+- name: remove_workload tasks complete
+ debug:
+ msg: "Remove Workload tasks completed successfully."
+ when: not silent|bool
diff --git a/ansible/roles/ocp4-workload-machinesets/tasks/workload.yml b/ansible/roles/ocp4-workload-machinesets/tasks/workload.yml
new file mode 100644
index 0000000..9e2cdf1
--- /dev/null
+++ b/ansible/roles/ocp4-workload-machinesets/tasks/workload.yml
@@ -0,0 +1,73 @@
+---
+- name: Set up ocp4_workload_machinesets combined dictionary
+ set_fact:
+ ocp4_workload_machinesets: >-
+ {{ ocp4_workload_machinesets_defaults
+ | combine(ocp4_workload_machinesets_input | default( {} ),
+ ocp4_workload_machinesets_secret | default( {} ), recursive=true )
+ }}
+- name: Print combined role variables
+ debug:
+ var: ocp4_workload_machinesets
+ verbosity: 2
+
+- name: Configure OpenShift 4 machinesets
+ include_role:
+ name: ocp4_machineset_config
+ vars:
+ ocp4_machineset_config_groups: "{{ ocp4_workload_machinesets.machineset_groups }}"
+
+- name: Wait for Nodes to be available
+ k8s_facts:
+ api_version: v1
+ kind: Node
+ label_selectors:
+ - "node-role.kubernetes.io/{{ item.role }}="
+ register: r_nodes
+ until:
+ - r_nodes.resources | length | int == item.total_replicas | int
+ delay: 30
+ retries: 20
+ loop: "{{ ocp4_workload_machinesets.machineset_groups }}"
+
+# The Machine Config Daemon and Node CA DaemonSets do not include
+# Universal Tolerations. So by adding taints to Infra and other
+# nodes the Machine Config Daemon and Node CA DaemonSets
+# pods would be removed from those nodes.
+# This adds the necessary tolerations.
+# The Product fix is curently targeted for OpenShift 4.5.
+# See https://bugzilla.redhat.com/show_bug.cgi?id=1780318
+- name: Fix Machine Config and Node CA Daemon Sets (add Tolerations for new nodes)
+ k8s:
+ state: present
+ merge_type:
+ - merge
+ definition: "{{ lookup('template', '{{ item }}') }}"
+ loop:
+ - ./templates/machine-config-daemonset.j2
+ - ./templates/node-ca-daemonset.j2
+
+- name: Set up Infra Nodes when one MaschineSet group is called 'infra'
+ when:
+ - ocp4_workload_machinesets.machineset_groups | selectattr('name', 'contains', 'infra')
+ block:
+ - name: Configure Ingress Controllers and Image Registry
+ k8s:
+ state: present
+ merge_type:
+ - merge
+ definition: "{{ lookup('template', '{{ item }}') }}"
+ loop:
+ - ./templates/ingress-controller.j2
+ - ./templates/image-registry.j2
+
+ - name: Create Config Map for Cluster Monitoring
+ k8s:
+ state: present
+ definition: "{{ lookup('file', './files/cluster-monitoring-config.yml') }}"
+
+# Leave this as the last task in the playbook.
+- name: workload tasks complete
+ debug:
+ msg: "Workload Tasks completed successfully."
+ when: not silent|bool
diff --git a/ansible/roles/ocp4-workload-machinesets/templates/image-registry.j2 b/ansible/roles/ocp4-workload-machinesets/templates/image-registry.j2
new file mode 100644
index 0000000..49f9da8
--- /dev/null
+++ b/ansible/roles/ocp4-workload-machinesets/templates/image-registry.j2
@@ -0,0 +1,14 @@
+apiVersion: imageregistry.operator.openshift.io/v1
+kind: Config
+metadata:
+ name: cluster
+spec:
+ nodeSelector:
+ "node-role.kubernetes.io/infra": ""
+ tolerations:
+ - effect: NoSchedule
+ key: infra
+ value: reserved
+ - effect: NoExecute
+ key: infra
+ value: reserved
\ No newline at end of file
diff --git a/ansible/roles/ocp4-workload-machinesets/templates/ingress-controller.j2 b/ansible/roles/ocp4-workload-machinesets/templates/ingress-controller.j2
new file mode 100644
index 0000000..4fe2425
--- /dev/null
+++ b/ansible/roles/ocp4-workload-machinesets/templates/ingress-controller.j2
@@ -0,0 +1,18 @@
+apiVersion: operator.openshift.io/v1
+kind: IngressController
+metadata:
+ name: default
+ namespace: openshift-ingress-operator
+spec:
+ replicas: {{ (ocp4_workload_machinesets.machineset_groups | selectattr('name', 'contains', 'infra')|first).total_replicas | int }}
+ nodePlacement:
+ nodeSelector:
+ matchLabels:
+ node-role.kubernetes.io/infra: ""
+ tolerations:
+ - effect: NoSchedule
+ key: infra
+ value: reserved
+ - effect: NoExecute
+ key: infra
+ value: reserved
\ No newline at end of file
diff --git a/ansible/roles/ocp4-workload-machinesets/templates/machine-config-daemonset.j2 b/ansible/roles/ocp4-workload-machinesets/templates/machine-config-daemonset.j2
new file mode 100644
index 0000000..f4cf280
--- /dev/null
+++ b/ansible/roles/ocp4-workload-machinesets/templates/machine-config-daemonset.j2
@@ -0,0 +1,24 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: machine-config-daemon
+ namespace: openshift-machine-config-operator
+spec:
+ template:
+ spec:
+ tolerations:
+ - effect: NoSchedule
+ key: node-role.kubernetes.io/master
+ operator: Exists
+ - effect: NoSchedule
+ key: node-role.kubernetes.io/etcd
+ operator: Exists
+{% for item in ocp4_workload_machinesets.machineset_groups %}
+{% if item.taints | d("") | length > 0 %}
+{% for taint in item.taints %}
+ - effect: "{{ taint.effect }}"
+ key: "{{ taint.key }}"
+ value: "{{ taint.value }}"
+{% endfor %}
+{% endif %}
+{% endfor %}
diff --git a/ansible/roles/ocp4-workload-machinesets/templates/node-ca-daemonset.j2 b/ansible/roles/ocp4-workload-machinesets/templates/node-ca-daemonset.j2
new file mode 100644
index 0000000..f472673
--- /dev/null
+++ b/ansible/roles/ocp4-workload-machinesets/templates/node-ca-daemonset.j2
@@ -0,0 +1,24 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+ name: node-ca
+ namespace: openshift-image-registry
+spec:
+ template:
+ spec:
+ tolerations:
+ - effect: NoSchedule
+ key: node-role.kubernetes.io/master
+ operator: Exists
+ - effect: NoSchedule
+ key: node-role.kubernetes.io/etcd
+ operator: Exists
+{% for item in ocp4_workload_machinesets.machineset_groups %}
+{% if item.taints | d("") | length > 0 %}
+{% for taint in item.taints %}
+ - effect: "{{ taint.effect }}"
+ key: "{{ taint.key }}"
+ value: "{{ taint.value }}"
+{% endfor %}
+{% endif %}
+{% endfor %}
diff --git a/ansible/roles/ocp4_machineset_config/meta/main.yml b/ansible/roles/ocp4_machineset_config/meta/main.yml
index 2dfafc0..c57dc4e 100644
--- a/ansible/roles/ocp4_machineset_config/meta/main.yml
+++ b/ansible/roles/ocp4_machineset_config/meta/main.yml
@@ -2,7 +2,9 @@
galaxy_info:
role_name: ocp4_machineset_config
author: Johnathan Kupferer, Wolfgang Kulhanek
- description: Configure OpenShift 4 MachineSets
+ description: |
+ Create OpenShift 4 MachineSets. One worker machine set must exist before this role is executed.
+ Currently supports AWS and OpenStack
license: MIT
min_ansible_version: 2.7
platforms: []
diff --git a/ansible/roles/ocp4_machineset_config/tasks/machineset-group-aws.yml b/ansible/roles/ocp4_machineset_config/tasks/machineset-group-aws.yml
index 770996b..6e5630a 100644
--- a/ansible/roles/ocp4_machineset_config/tasks/machineset-group-aws.yml
+++ b/ansible/roles/ocp4_machineset_config/tasks/machineset-group-aws.yml
@@ -15,9 +15,9 @@
availability_zone_region: "{{ aws_worker_availability_zone.region }}"
availability_zone_subnet: "{{ aws_worker_availability_zone.subnet }}"
aws_instance_type: >-
- {{ machineset_group.aws_instance_type | default(default_aws_instance_type) }}
+ {{ machineset_group.instance_type | default(default_aws_instance_type) }}
aws_root_volume_size: >-
- {{ machineset_group.aws_root_volume_size | default(default_aws_root_volume_size) }}
+ {{ machineset_group.root_volume_size | default(default_aws_root_volume_size) }}
machineset_name: >-
{{ [cluster_label, machineset_group.name, availability_zone] | join('-') }}
machineset_group_node_labels: >-
diff --git a/ansible/roles/ocp4_machineset_config/tasks/machineset-openstack.yml b/ansible/roles/ocp4_machineset_config/tasks/machineset-openstack.yml
index cb159cf..e4e6471 100644
--- a/ansible/roles/ocp4_machineset_config/tasks/machineset-openstack.yml
+++ b/ansible/roles/ocp4_machineset_config/tasks/machineset-openstack.yml
@@ -1,5 +1,5 @@
---
-- name: Define custom machinesets
+- name: Define custom MachineSets
include_tasks: machineset-group-openstack.yml
loop: "{{ ocp4_machineset_config_groups }}"
loop_control:
diff --git a/ansible/roles/ocp4_machineset_config/tasks/set-facts.yml b/ansible/roles/ocp4_machineset_config/tasks/set-facts.yml
index d6553f8..5c0a9ff 100644
--- a/ansible/roles/ocp4_machineset_config/tasks/set-facts.yml
+++ b/ansible/roles/ocp4_machineset_config/tasks/set-facts.yml
@@ -1,5 +1,5 @@
---
-- name: Get machinesets
+- name: Get MachineSets
k8s_facts:
api_version: machine.openshift.io/v1beta1
kind: MachineSet
@@ -23,7 +23,7 @@
base_worker_machineset_json_query: >-
[?!contains(keys(metadata.labels), '{{ machineset_group_label }}')]
-- name: Print current Machinesets
+- name: Print current MachineSets
debug: var=ocp4_current_machineset_names
- name: Set cluster facts for AWS
diff --git a/ansible/roles/ocp4_machineset_config/templates/machineset-aws.j2 b/ansible/roles/ocp4_machineset_config/templates/machineset-aws.j2
index ae93a89..ea2aa48 100644
--- a/ansible/roles/ocp4_machineset_config/templates/machineset-aws.j2
+++ b/ansible/roles/ocp4_machineset_config/templates/machineset-aws.j2
@@ -66,14 +66,13 @@
tags: {{ aws_worker_tags | to_json }}
userDataSecret:
name: worker-user-data
-{% if machineset_group.taint | d('') | length > 0 %}
+{% if machineset_group.taints | d('') | length > 0 %}
taints:
- - key: "{{ machineset_group.taint }}"
- value: "reserved"
- effect: "NoSchedule"
- - key: "{{ machineset_group.taint }}"
- value: "reserved"
- effect: "NoExecute"
+{% for taint in machineset_group.taints %}
+ - key: "{{ taint.key }}"
+ value: "{{ taint.value }}"
+ effect: "{{ taint.effect }}"
+{% endfor %}
{% endif %}
versions:
kubelet: ""
diff --git a/ansible/roles/ocp4_machineset_config/templates/machineset-openstack.j2 b/ansible/roles/ocp4_machineset_config/templates/machineset-openstack.j2
index 3a52a9f..28d21ea 100644
--- a/ansible/roles/ocp4_machineset_config/templates/machineset-openstack.j2
+++ b/ansible/roles/ocp4_machineset_config/templates/machineset-openstack.j2
@@ -55,14 +55,13 @@
trunk: true
userDataSecret:
name: worker-user-data
-{% if machineset_group.taint | d('') | length > 0 %}
+{% if machineset_group.taints | d('') | length > 0 %}
taints:
- - key: "{{ machineset_group.taint }}"
- value: "reserved"
- effect: "NoSchedule"
- - key: "{{ machineset_group.taint }}"
- value: "reserved"
- effect: "NoExecute"
+{% for taint in machineset_group.taints %}
+ - key: "{{ taint.key }}"
+ value: "{{ taint.value }}"
+ effect: "{{ taint.effect }}"
+{% endfor %}
{% endif %}
versions:
kubelet: ""
--
Gitblit v1.9.3