From b85c91a8192593f6b62f93e11c971868964343a9 Mon Sep 17 00:00:00 2001
From: Razique Mahroua <rmahroua@redhat.com>
Date: Wed, 18 Mar 2020 01:28:54 +0100
Subject: [PATCH] Set of fixes to make the provisioning of DO999 and DO280 courses compatible with the upstream code.
---
ansible/roles/ocp4-workload-idm/tasks/workload.yml | 2
ansible/roles/idm-server/tasks/prep.yml | 33 ++++++++++------
ansible/configs/ocp4-workshop/files/requirements_k8s.txt | 3 +
ansible/configs/ocp4-workshop/destroy_env.yml | 6 ++
ansible/configs/ocp4-workshop/lifecycle.yml | 4 +-
ansible/roles/mysql/tasks/main.yml | 18 +++------
ansible/roles/host-lets-encrypt-certs-certbot/tasks/main.yml | 30 +++++++--------
ansible/roles/ocp4-workload-idm/tasks/remove_workload.yml | 8 ++++
8 files changed, 60 insertions(+), 44 deletions(-)
diff --git a/ansible/configs/ocp4-workshop/destroy_env.yml b/ansible/configs/ocp4-workshop/destroy_env.yml
index 48da070..e059d84 100644
--- a/ansible/configs/ocp4-workshop/destroy_env.yml
+++ b/ansible/configs/ocp4-workshop/destroy_env.yml
@@ -145,6 +145,9 @@
run_once: true
become: false
tasks:
+ - name: Set Ansible Python interpreter to k8s virtualenv
+ set_fact:
+ ansible_python_interpreter: /opt/virtualenvs/k8s/bin/python
- name: Remove ocp workloads
when:
- remove_workloads | d("") | length > 0
@@ -348,10 +351,11 @@
aws route53 list-hosted-zones-by-name
--dns-name {{ aws_public_zone }}
--max-items 4
+ --output json
register: awsroute53zone
changed_when: false
retries: 5
- delay: "{{ 60|random(start=3, step=1) }}"
+ delay: "{{ 60|random(start=10, step=1) }}"
until: awsroute53zone is succeeded
- name: delete zones
diff --git a/ansible/configs/ocp4-workshop/files/requirements_k8s.txt b/ansible/configs/ocp4-workshop/files/requirements_k8s.txt
index 370d2f2..b409543 100644
--- a/ansible/configs/ocp4-workshop/files/requirements_k8s.txt
+++ b/ansible/configs/ocp4-workshop/files/requirements_k8s.txt
@@ -2,6 +2,9 @@
ansible==2.8.8
asn1crypto==1.3.0
bcrypt==3.1.7
+botocore==1.15.15
+boto3==1.12.15
+boto==2.49.0
cachetools==4.0.0
certifi==2019.11.28
cffi==1.13.2
diff --git a/ansible/configs/ocp4-workshop/lifecycle.yml b/ansible/configs/ocp4-workshop/lifecycle.yml
index b50872a..2d6421a 100644
--- a/ansible/configs/ocp4-workshop/lifecycle.yml
+++ b/ansible/configs/ocp4-workshop/lifecycle.yml
@@ -64,7 +64,7 @@
when: ACTION == 'stop'
ec2_instance:
state: stopped
- wait: {{��aws_instance_wait_for_stop }}
+ wait: "{{��aws_instance_wait_for_stop | default(false) }}"
filters:
"tag:guid": "{{ guid }}"
"tag:env_type": "{{ env_type }}"
@@ -142,4 +142,4 @@
- name: Approve all additional Pending CSRs
when: r_new_csrs.resources | length > 0
command: "oc adm certificate approve {{ item.metadata.name }}"
- loop: "{{ r_new_csrs.resources }}"
\ No newline at end of file
+ loop: "{{ r_new_csrs.resources }}"
diff --git a/ansible/roles/host-lets-encrypt-certs-certbot/tasks/main.yml b/ansible/roles/host-lets-encrypt-certs-certbot/tasks/main.yml
index 28f49f1..aad0191 100644
--- a/ansible/roles/host-lets-encrypt-certs-certbot/tasks/main.yml
+++ b/ansible/roles/host-lets-encrypt-certs-certbot/tasks/main.yml
@@ -11,7 +11,7 @@
stat:
path: "/home/{{ ansible_user }}/.aws/credentials"
register: aws_credentials_result
-
+
- name: Fail if AWS Credentials are not on the host
fail:
msg: AWS Credentials are required when requesting certificates for a wildcard domain
@@ -21,7 +21,7 @@
when: _certbot_dns_provider is match('rfc2136')
block:
- name: Verify credential are present on host
- when: _certbot_dns_provider is match('rfc2136')
+ when: _certbot_dns_provider is match('rfc2136')
stat:
path: /home/{{ _certbot_user }}/.rfc2136.ini
register: ddns_credentials_result
@@ -80,6 +80,18 @@
delegate_to: localhost
register: cache_archive_file
+ - name: Ensure Certbot Directories are present
+ file:
+ name: "{{ item }}"
+ state: directory
+ owner: "{{ _certbot_remote_dir_owner }}"
+ mode: 0775
+ loop:
+ - "{{ _certbot_dir }}"
+ - "{{ _certbot_dir }}/config"
+ - "{{ _certbot_dir }}/work"
+ - "{{ _certbot_dir }}/logs"
+
- name: Restore entire certificate archive
when:
- _certbot_use_cache|bool
@@ -95,20 +107,6 @@
- name: Set _certbot_setup_complete=true
set_fact:
_certbot_setup_complete: true
-
- - name: Ensure Certbot Directories are present
- file:
- name: "{{ item }}"
- state: directory
- owner: "{{ _certbot_remote_dir_owner }}"
- mode: 0775
- loop:
- - "{{ _certbot_dir }}"
- - "{{ _certbot_dir }}/config"
- - "{{ _certbot_dir }}/work"
- - "{{ _certbot_dir }}/logs"
- - "{{ _certbot_dir }}/renewal-hooks"
- - "{{ _certbot_dir }}/renewal-hooks/deploy"
- name: Request Certificates from Let's Encrypt (force or no cache)
when:
diff --git a/ansible/roles/idm-server/tasks/prep.yml b/ansible/roles/idm-server/tasks/prep.yml
index 2d4e382..6521d51 100644
--- a/ansible/roles/idm-server/tasks/prep.yml
+++ b/ansible/roles/idm-server/tasks/prep.yml
@@ -1,14 +1,23 @@
---
-
- name: Install required packages
- package:
- name: "{{ idm_rpms }}"
- state: installed
+ # FIXME:
+ # Using the 'package' module fails when installing
+ # Unable to find yum & rpm python package on RHEL 7.5
+ #
+ # Error:
+ # The Python 32 bindings for rpm are needed for this module. If you require
+ # Python 3 support use the `dnf` Ansible module instead.. The Python 2 yum
+ # module is needed for this module. If you require Python 3 support use the
+ # `dnf` Ansible module instead.
+ # package
+ #
+ # To fix that error, we can install the bastion using a RHEL 8 image
+ command:
+ yum -y install {{��idm_rpms | join(" ") }}
- name: Upgrade NSS package
- package:
- name: nss
- state: latest
+ command:
+ yum -y update nss
# Cannot use a handler here
- name: Ensure firewalld is running
@@ -17,12 +26,12 @@
state: started
enabled: yes
+# The 'firewalld' module is not compatible with Python 3 on RHEL 7
+# This has to do with missing python 3 bindings for firewalld
- name: Open Firewall for IdM use
- firewalld:
- service: "{{ item }}"
- permanent: yes
- state: enabled
- immediate: yes
+ shell: |
+ firewall-cmd --permanent --zone=public --add-service={{ item }}
+ firewall-cmd --reload
with_items:
- ntp
- http
diff --git a/ansible/roles/mysql/tasks/main.yml b/ansible/roles/mysql/tasks/main.yml
index 6d36a4e..2d8770d 100644
--- a/ansible/roles/mysql/tasks/main.yml
+++ b/ansible/roles/mysql/tasks/main.yml
@@ -1,11 +1,8 @@
---
- block:
+ # Python 3 bindings for Yum are not present on RHEL 7.X images
- name: Install MySQL packages
- yum:
- state: present
- name:
- - mariadb-server
- - firewalld
+ command: yum -y install mariadb-server firewalld
- name: Ensure firewalld is running
service:
@@ -13,14 +10,11 @@
state: started
enabled: yes
+ # Python 3 bindings for firewalld are not present on RHEL 7.X images
- name: Open Firewall for MySQL use
- firewalld:
- service: "{{ item }}"
- permanent: yes
- state: enabled
- immediate: yes
- with_items:
- - mysql
+ shell: |
+ firewall-cmd --permanent --zone=public --add-service=mysql
+ firewall-cmd --reload
- name: Ensure MySQL is running at boot
service:
diff --git a/ansible/roles/ocp4-workload-idm/tasks/remove_workload.yml b/ansible/roles/ocp4-workload-idm/tasks/remove_workload.yml
index 1a37780..ebc0140 100644
--- a/ansible/roles/ocp4-workload-idm/tasks/remove_workload.yml
+++ b/ansible/roles/ocp4-workload-idm/tasks/remove_workload.yml
@@ -1,5 +1,13 @@
---
# Implement your Workload removal tasks here
+- name: Install AWS python prerequisites
+ become: True
+ pip:
+ state: present
+ name:
+ - boto
+ - botocore
+ - boto3
# Find IP of bastion
- name: Gather VPC facts
diff --git a/ansible/roles/ocp4-workload-idm/tasks/workload.yml b/ansible/roles/ocp4-workload-idm/tasks/workload.yml
index 1898abb..70e205b 100644
--- a/ansible/roles/ocp4-workload-idm/tasks/workload.yml
+++ b/ansible/roles/ocp4-workload-idm/tasks/workload.yml
@@ -25,7 +25,7 @@
- _certbot_cache_archive_file: "{{ output_dir|d('/tmp') }}/{{ guid }}-idm-certs.tar.gz"
- _certbot_renew_automatically: True
- _certbot_use_cache: True
- - _certbot_force_issue: False
+ - _certbot_force_issue: True
- _certbot_production: True
- _certbot_cron_job_name: LETS_ENCRYPT_RENEW_IDM
--
Gitblit v1.9.3