From b85c91a8192593f6b62f93e11c971868964343a9 Mon Sep 17 00:00:00 2001 From: Razique Mahroua <rmahroua@redhat.com> Date: Wed, 18 Mar 2020 01:28:54 +0100 Subject: [PATCH] Set of fixes to make the provisioning of DO999 and DO280 courses compatible with the upstream code. --- ansible/roles/ocp4-workload-idm/tasks/workload.yml | 2 ansible/roles/idm-server/tasks/prep.yml | 33 ++++++++++------ ansible/configs/ocp4-workshop/files/requirements_k8s.txt | 3 + ansible/configs/ocp4-workshop/destroy_env.yml | 6 ++ ansible/configs/ocp4-workshop/lifecycle.yml | 4 +- ansible/roles/mysql/tasks/main.yml | 18 +++------ ansible/roles/host-lets-encrypt-certs-certbot/tasks/main.yml | 30 +++++++-------- ansible/roles/ocp4-workload-idm/tasks/remove_workload.yml | 8 ++++ 8 files changed, 60 insertions(+), 44 deletions(-) diff --git a/ansible/configs/ocp4-workshop/destroy_env.yml b/ansible/configs/ocp4-workshop/destroy_env.yml index 48da070..e059d84 100644 --- a/ansible/configs/ocp4-workshop/destroy_env.yml +++ b/ansible/configs/ocp4-workshop/destroy_env.yml @@ -145,6 +145,9 @@ run_once: true become: false tasks: + - name: Set Ansible Python interpreter to k8s virtualenv + set_fact: + ansible_python_interpreter: /opt/virtualenvs/k8s/bin/python - name: Remove ocp workloads when: - remove_workloads | d("") | length > 0 @@ -348,10 +351,11 @@ aws route53 list-hosted-zones-by-name --dns-name {{ aws_public_zone }} --max-items 4 + --output json register: awsroute53zone changed_when: false retries: 5 - delay: "{{ 60|random(start=3, step=1) }}" + delay: "{{ 60|random(start=10, step=1) }}" until: awsroute53zone is succeeded - name: delete zones diff --git a/ansible/configs/ocp4-workshop/files/requirements_k8s.txt b/ansible/configs/ocp4-workshop/files/requirements_k8s.txt index 370d2f2..b409543 100644 --- a/ansible/configs/ocp4-workshop/files/requirements_k8s.txt +++ b/ansible/configs/ocp4-workshop/files/requirements_k8s.txt @@ -2,6 +2,9 @@ ansible==2.8.8 asn1crypto==1.3.0 bcrypt==3.1.7 +botocore==1.15.15 +boto3==1.12.15 +boto==2.49.0 cachetools==4.0.0 certifi==2019.11.28 cffi==1.13.2 diff --git a/ansible/configs/ocp4-workshop/lifecycle.yml b/ansible/configs/ocp4-workshop/lifecycle.yml index b50872a..2d6421a 100644 --- a/ansible/configs/ocp4-workshop/lifecycle.yml +++ b/ansible/configs/ocp4-workshop/lifecycle.yml @@ -64,7 +64,7 @@ when: ACTION == 'stop' ec2_instance: state: stopped - wait: {{��aws_instance_wait_for_stop }} + wait: "{{��aws_instance_wait_for_stop | default(false) }}" filters: "tag:guid": "{{ guid }}" "tag:env_type": "{{ env_type }}" @@ -142,4 +142,4 @@ - name: Approve all additional Pending CSRs when: r_new_csrs.resources | length > 0 command: "oc adm certificate approve {{ item.metadata.name }}" - loop: "{{ r_new_csrs.resources }}" \ No newline at end of file + loop: "{{ r_new_csrs.resources }}" diff --git a/ansible/roles/host-lets-encrypt-certs-certbot/tasks/main.yml b/ansible/roles/host-lets-encrypt-certs-certbot/tasks/main.yml index 28f49f1..aad0191 100644 --- a/ansible/roles/host-lets-encrypt-certs-certbot/tasks/main.yml +++ b/ansible/roles/host-lets-encrypt-certs-certbot/tasks/main.yml @@ -11,7 +11,7 @@ stat: path: "/home/{{ ansible_user }}/.aws/credentials" register: aws_credentials_result - + - name: Fail if AWS Credentials are not on the host fail: msg: AWS Credentials are required when requesting certificates for a wildcard domain @@ -21,7 +21,7 @@ when: _certbot_dns_provider is match('rfc2136') block: - name: Verify credential are present on host - when: _certbot_dns_provider is match('rfc2136') + when: _certbot_dns_provider is match('rfc2136') stat: path: /home/{{ _certbot_user }}/.rfc2136.ini register: ddns_credentials_result @@ -80,6 +80,18 @@ delegate_to: localhost register: cache_archive_file + - name: Ensure Certbot Directories are present + file: + name: "{{ item }}" + state: directory + owner: "{{ _certbot_remote_dir_owner }}" + mode: 0775 + loop: + - "{{ _certbot_dir }}" + - "{{ _certbot_dir }}/config" + - "{{ _certbot_dir }}/work" + - "{{ _certbot_dir }}/logs" + - name: Restore entire certificate archive when: - _certbot_use_cache|bool @@ -95,20 +107,6 @@ - name: Set _certbot_setup_complete=true set_fact: _certbot_setup_complete: true - - - name: Ensure Certbot Directories are present - file: - name: "{{ item }}" - state: directory - owner: "{{ _certbot_remote_dir_owner }}" - mode: 0775 - loop: - - "{{ _certbot_dir }}" - - "{{ _certbot_dir }}/config" - - "{{ _certbot_dir }}/work" - - "{{ _certbot_dir }}/logs" - - "{{ _certbot_dir }}/renewal-hooks" - - "{{ _certbot_dir }}/renewal-hooks/deploy" - name: Request Certificates from Let's Encrypt (force or no cache) when: diff --git a/ansible/roles/idm-server/tasks/prep.yml b/ansible/roles/idm-server/tasks/prep.yml index 2d4e382..6521d51 100644 --- a/ansible/roles/idm-server/tasks/prep.yml +++ b/ansible/roles/idm-server/tasks/prep.yml @@ -1,14 +1,23 @@ --- - - name: Install required packages - package: - name: "{{ idm_rpms }}" - state: installed + # FIXME: + # Using the 'package' module fails when installing + # Unable to find yum & rpm python package on RHEL 7.5 + # + # Error: + # The Python 32 bindings for rpm are needed for this module. If you require + # Python 3 support use the `dnf` Ansible module instead.. The Python 2 yum + # module is needed for this module. If you require Python 3 support use the + # `dnf` Ansible module instead. + # package + # + # To fix that error, we can install the bastion using a RHEL 8 image + command: + yum -y install {{��idm_rpms | join(" ") }} - name: Upgrade NSS package - package: - name: nss - state: latest + command: + yum -y update nss # Cannot use a handler here - name: Ensure firewalld is running @@ -17,12 +26,12 @@ state: started enabled: yes +# The 'firewalld' module is not compatible with Python 3 on RHEL 7 +# This has to do with missing python 3 bindings for firewalld - name: Open Firewall for IdM use - firewalld: - service: "{{ item }}" - permanent: yes - state: enabled - immediate: yes + shell: | + firewall-cmd --permanent --zone=public --add-service={{ item }} + firewall-cmd --reload with_items: - ntp - http diff --git a/ansible/roles/mysql/tasks/main.yml b/ansible/roles/mysql/tasks/main.yml index 6d36a4e..2d8770d 100644 --- a/ansible/roles/mysql/tasks/main.yml +++ b/ansible/roles/mysql/tasks/main.yml @@ -1,11 +1,8 @@ --- - block: + # Python 3 bindings for Yum are not present on RHEL 7.X images - name: Install MySQL packages - yum: - state: present - name: - - mariadb-server - - firewalld + command: yum -y install mariadb-server firewalld - name: Ensure firewalld is running service: @@ -13,14 +10,11 @@ state: started enabled: yes + # Python 3 bindings for firewalld are not present on RHEL 7.X images - name: Open Firewall for MySQL use - firewalld: - service: "{{ item }}" - permanent: yes - state: enabled - immediate: yes - with_items: - - mysql + shell: | + firewall-cmd --permanent --zone=public --add-service=mysql + firewall-cmd --reload - name: Ensure MySQL is running at boot service: diff --git a/ansible/roles/ocp4-workload-idm/tasks/remove_workload.yml b/ansible/roles/ocp4-workload-idm/tasks/remove_workload.yml index 1a37780..ebc0140 100644 --- a/ansible/roles/ocp4-workload-idm/tasks/remove_workload.yml +++ b/ansible/roles/ocp4-workload-idm/tasks/remove_workload.yml @@ -1,5 +1,13 @@ --- # Implement your Workload removal tasks here +- name: Install AWS python prerequisites + become: True + pip: + state: present + name: + - boto + - botocore + - boto3 # Find IP of bastion - name: Gather VPC facts diff --git a/ansible/roles/ocp4-workload-idm/tasks/workload.yml b/ansible/roles/ocp4-workload-idm/tasks/workload.yml index 1898abb..70e205b 100644 --- a/ansible/roles/ocp4-workload-idm/tasks/workload.yml +++ b/ansible/roles/ocp4-workload-idm/tasks/workload.yml @@ -25,7 +25,7 @@ - _certbot_cache_archive_file: "{{ output_dir|d('/tmp') }}/{{ guid }}-idm-certs.tar.gz" - _certbot_renew_automatically: True - _certbot_use_cache: True - - _certbot_force_issue: False + - _certbot_force_issue: True - _certbot_production: True - _certbot_cron_job_name: LETS_ENCRYPT_RENEW_IDM -- Gitblit v1.9.3