###### VARIABLES YOU SHOULD CONFIGURE FOR YOUR DEPLOYEMNT ###### OR PASS as "-e" args to ansible-playbook command # This is an account that must exist in OpenStack. # It is used to create projects, access, Heat templates admin_user: opentlc-mgr # Authenication credentials for OpenStack in order to create the things. # These should be included with your secrets, but are listed here for reference # osp_auth_url: # osp_auth_username: # osp_auth_password: # osp_auth_cloud: # osp_auth_project_domain: #usually set to "default" # osp_auth_user_domain: #usually set to "default" # The output_dir holds all of the files generated during the deployment # This includes generated Heat templates, SSH config, SSH keys # This must be an absolute path and no vars (like $HOME or ~) output_dir: /tmp/output_dir # The name of the agnosticd config to deploy env_type: ocp4-disconnected-osp-lab # The {{ guid }} is used everywhere and it is what differentiates otherwise # identical environments. Make this unique. Usually they are 4 characters, but # it can be any reasonablre length. guid: mydefault # The name of the project that will be created in OpenStack for the user osp_project_name: "{{ guid }}-project" # Set this to true if you need to create a new project in OpenStack # This should almost always be set to true for OpenShift installations # If it is set to false, the {{ osp_project_name }} must already exist and # should be able to run whatever you are deploying osp_project_create: true # The name of the OpenShift cluster that will be deployed. # This is primarily used if you want to automate the OpenShift deployment. cluster_name: cluster-{{ guid }} # Used to add metadata (tags) to OpenStack objects created project_tag: "{{ env_type }}-{{ guid }}" # Why is this config being deployed? # Some valid: development, ilt, production, event purpose: development # The type of cloud provider this will be deployed to cloud_provider: osp # This should be overwritten based on the user ordering the catalog item # It will be used by the bastion-student-user role and created on the bastion student_name: lab-user # Enable this if you want to create a user on the bastion # Mutually exclusive with {{ install_ipa_client }} install_student_user: true # Enable this if you want to use IPA for user authentication. # Mutually exclusive with {{ install_student_user }} install_ipa_client: false # TODO: What does this really do besides run the role? set_env_authorized_key: true env_authorized_key: "{{guid}}key" key_name: "default_key_name" # This is the user that Ansible will use to connect to the nodes it is # configuring from the admin/control host ansible_user: cloud-user remote_user: cloud-user # Run the bastion-lite role install_bastion: true # This should be obsolete and not required in the current form install_k8s_modules: false # FTL is used for grading and solving. It will pull in the external ftl-injector role. # This might be enabled when we have solvers to run or graders for ILT install_ftl: true # FTL injector will try to install python-pip and we only have python3-pip available # This var will force the ftl-injector role to adapt accordingly ftl_use_python3: true # TODO: Decide on whether to use sat or give access to repos directly with key # This will tell Agnosticd to use either: # sattelite, rhn, or file for repos repo_method: file # If using satellite, these are needed: # satellite_url: satellite.opentlc.com # satellite_activationkey: # This should be stored in secrets # satellite_org: # This should be stored in secrets # use_content_view: true # If using file, these are needed in addition to the repos_template.j2 file: osrelease: 4.2.0 repo_version: '4.2' own_repo_path: # Should be defined in secrets # Packages to install on all of the hosts deployed as part of the agnosticd config # This invokes the "common" role install_common: true # As part of the "common" role, this cause it to do a yum update on the host update_packages: true # The packages that will be installed by the "common" role. Only put things # in this list that are needed, stable, and useful on every node. common_packages: - unzip - bash-completion - tmux - bind-utils - wget - ansible - git - vim-enhanced - httpd-tools - openldap-clients - podman - tree # This will run in the post_software phase and run playbooks in the # software_playbooks directory software_to_deploy: none # If you want DNS entries to be created automatically, choose one of these. # Alternately, they can both be set to false. use_dynamic_dns: true # This is not fully implemented yet # use_route53: false # The domain that you want to add DNS entries to osp_cluster_dns_zone: blue.osp.opentlc.com # The dynamic DNS server you will add entries to. # NOTE: This is only applicable when {{ use_dynamic_dns}} is true osp_cluster_dns_server: ddns01.opentlc.com # Whether to wait for an ack from the DNS servers before continuing wait_for_dns: true # Authenticaion for DDNS # ddns_key_name: # ddns_secret_name: # Set this to true if you want a FIPs provisioned for an OpenShift on OpenStack install # This will provision an API and Ingress FIP openshift_fip_provision: True # This requires DDNS or other DNS solution configured # If enabled, it will add DNS entries for the API and Ingress FIPs openshift_fip_dns: True # Quotas to set for new project that is created quota_num_instances: 15 quota_num_cores: 72 quota_memory: 163840 # in MB quota_num_volumes: 25 quota_volumes_gigs: 500 #quota_loadbalancers: #when Octavia is available #quota_pool: #when Octavia is available quota_networks: 3 quota_subnets: 3 quota_routers: 3 quota_fip: 5 quota_sg: 20 quota_sg_rules: 200 # NFS ## NFS Server settings nfs_export_path: /srv/nfs nfs_server_address: "utilityvm.example.com" nfs_exports_config: "*(rw,sync,no_wdelay,no_root_squash,insecure,fsid=0)" # When the config is setting up NFS on the utility VM, which it does by default, # this will define how many exports to create on the NFS server. These still have to # be created as PVs by the user once OpenShift is installed. PV files are created # and placed on the bastion to use for this. user_vols: 20 # This will be used when creating the Kube PV definitions user_vols_size: 20G # The external network in OpenStack where the floating IPs (FIPs) come from provider_network: external # If you are deploying OpenShift, this should be set to the network that you # want to use and will be used to create security groups. # It will pull the subnet CIDR from the defined network below, based on the # name you define for {{ ocp_network }} ocp_network: "ocp" ocp_network_subnet_cidr: "{{ networks | json_query(query_subnet_cidr) | first }}" query_subnet_cidr: "[?name=='{{ ocp_network }}'].subnet_cidr" # A list of the private networks and subnets to create in the project # You can create as many as you want, but at least one is required. # Use the name of the networks where appropriate in the instance list networks: - name: ocp shared: "false" subnet_cidr: 192.168.47.0/24 gateway_ip: 192.168.47.1 allocation_start: 192.168.47.10 allocation_end: 192.168.47.254 dns_nameservers: [] create_router: true # Another example network if you need more than one deployed # - name: testnet # shared: "false" # subnet_cidr: 192.47.0.0/24 # gateway_ip: 192.47.0.1 # allocation_start: 192.47.0.25 # allocation_end: 192.47.0.156 # dns_nameservers: # - 8.8.8.8 # - 1.1.1.1 # create_router: true # These will influence the bastion if it is being deployed bastion_instance_type: 2c2g30d bastion_instance_image: rhel-guest-7.7u2 # These will influence the utility VM, which is primarily used for disconnected # install, but can be used for anything really. utilityvm_instance_type: 2c2g30d utilityvm_instance_image: rhel-guest-7.7u2 # Instances to be provisioned in new project # Provide these as a list. # Each instance type can have any number of replicas deployed with the same # configuration. # Metadata in OpenStack is equivelent to tags in AWS # These instances will be created with Cinder persistent volumes instances: - name: bastion count: 1 unique: yes alt_name: bastion image_id: "{{ bastion_instance_image }}" floating_ip: yes flavor: osp: "{{ bastion_instance_type }}" metadata: - AnsibleGroup: "bastions,clientvms" - function: bastion - user: nate - project: "{{ project_tag }}" - ostype: linux - Purpose: "{{ purpose }}" rootfs_size: 30 network: ocp security_groups: - bastion_sg - name: utilityvm count: 1 image_id: "{{ utilityvm_instance_image }}" floating_ip: no flavor: osp: "{{ utilityvm_instance_type }}" metadata: - AnsibleGroup: "utility" - function: bastion - user: nate - project: "{{ project_tag }}" - ostype: linux - Purpose: "{{ purpose }}" rootfs_size: 50 network: ocp security_groups: - utility_sg # Security groups and associated rules. This will be provided #when the Heat template is generated separate groups and rules security_groups: - name: bastion_sg description: Bastion security group allows basic icmp and SSH ingress and egress to * rules: - protocol: icmp direction: ingress - protocol: tcp direction: ingress port_range_min: 22 port_range_max: 22 remote_ip_prefix: 0.0.0.0/0 - name: utility_sg description: Utility security group allows SSH from bastion and egress to * rules: - protocol: icmp direction: ingress remote_group: "bastion_sg" - protocol: tcp direction: ingress port_range_min: 22 port_range_max: 22 remote_group: "bastion_sg" - protocol: tcp direction: ingress port_range_min: 5000 port_range_max: 5000 remote_ip_prefix: "{{ ocp_network_subnet_cidr }}" description: "local container registry" - protocol: tcp direction: ingress port_range_min: 80 port_range_max: 80 remote_ip_prefix: "{{ ocp_network_subnet_cidr }}" description: "http traffic for ignition files" - protocol: tcp direction: ingress port_range_min: 2049 port_range_max: 2049 remote_ip_prefix: "{{ ocp_network_subnet_cidr }}" description: "NFS traffic" - name: isolated_sg description: All instances in the disconnected network rules: - protocol: icmp direction: ingress remote_group: "bastion_sg" - protocol: tcp direction: ingress port_range_min: 22 port_range_max: 22 remote_group: "bastion_sg" - name: master_sg description: Security group for OpenShift master and bootstrap rules: - protocol: icmp direction: ingress description: "icmp" - protocol: tcp direction: ingress port_range_min: 22623 port_range_max: 22623 remote_ip_prefix: "{{ ocp_network_subnet_cidr }}" description: "machine config server" - protocol: tcp direction: ingress port_range_min: 22 port_range_max: 22 remote_group: "bastion_sg" description: "SSH" - protocol: tcp direction: ingress port_range_min: 53 port_range_max: 53 remote_ip_prefix: "{{ ocp_network_subnet_cidr }}" description: "DNS (tcp)" - protocol: udp direction: ingress port_range_min: 53 port_range_max: 53 remote_ip_prefix: "{{ ocp_network_subnet_cidr }}" description: "DNS (udp)" - protocol: udp direction: ingress port_range_min: 5353 port_range_max: 5353 remote_ip_prefix: "{{ ocp_network_subnet_cidr }}" description: "mDNS" - protocol: tcp direction: ingress port_range_min: 6443 port_range_max: 6443 remote_ip_prefix: 0.0.0.0/0 description: "OpenShift API" - protocol: udp direction: ingress port_range_min: 4789 port_range_max: 4789 remote_group: "master_sg" description: "VXLAN" - protocol: udp direction: ingress port_range_min: 4789 port_range_max: 4789 remote_group: "worker_sg" description: "VXLAN (worker)" - protocol: udp direction: ingress port_range_min: 6081 port_range_max: 6081 remote_group: "master_sg" description: "Geneve" - protocol: udp direction: ingress port_range_min: 6081 port_range_max: 6081 remote_group: "worker_sg" description: "Geneve (worker)" - protocol: tcp direction: ingress port_range_min: 6641 port_range_max: 6642 remote_group: "master_sg" description: "OVNDB" - protocol: tcp direction: ingress port_range_min: 6641 port_range_max: 6642 remote_group: "worker_sg" description: "OVNDB (worker)" - protocol: tcp direction: ingress port_range_min: 9000 port_range_max: 9999 remote_group: "master_sg" description: "Master ingress internal (tcp)" - protocol: tcp direction: ingress port_range_min: 9000 port_range_max: 9999 remote_group: "worker_sg" description: "Master ingress from worker (tcp)" - protocol: udp direction: ingress port_range_min: 9000 port_range_max: 9999 remote_group: "master_sg" description: "Master ingress internal (udp)" - protocol: udp direction: ingress port_range_min: 9000 port_range_max: 9999 remote_group: "worker_sg" description: "Master ingress from worker (udp)" - protocol: tcp direction: ingress port_range_min: 10259 port_range_max: 10259 remote_group: "master_sg" description: "Kube Scheduler" - protocol: tcp direction: ingress port_range_min: 10259 port_range_max: 10259 remote_group: "worker_sg" description: "Kube Scheduler (worker)" - protocol: tcp direction: ingress port_range_min: 10257 port_range_max: 10257 remote_group: "master_sg" description: "Kube controller manager" - protocol: tcp direction: ingress port_range_min: 10257 port_range_max: 10257 remote_group: "worker_sg" description: "Kube controller manager (worker)" - protocol: tcp direction: ingress port_range_min: 10250 port_range_max: 10250 remote_group: "master_sg" description: "master ingress kubelet secure" - protocol: tcp direction: ingress port_range_min: 10250 port_range_max: 10250 remote_group: "worker_sg" description: "master ingress kubelet secure from worker" - protocol: tcp direction: ingress port_range_min: 2379 port_range_max: 2380 remote_group: "master_sg" description: "etcd" - protocol: tcp direction: ingress port_range_min: 30000 port_range_max: 32767 remote_group: "master_sg" description: "master ingress services (tcp)" - protocol: udp direction: ingress port_range_min: 30000 port_range_max: 32767 remote_group: "master_sg" description: "master ingress services (udp)" - protocol: vrrp direction: ingress remote_ip_prefix: "{{ ocp_network_subnet_cidr }}" description: "VRRP" - name: worker_sg description: Security group for OpenShift workers rules: - protocol: icmp direction: ingress description: icmp - protocol: tcp direction: ingress port_range_min: 22 port_range_max: 22 remote_group: "bastion_sg" description: "SSH" - protocol: udp direction: ingress port_range_min: 5353 port_range_max: 5353 remote_ip_prefix: "{{ ocp_network_subnet_cidr }}" description: "mDNS" - protocol: tcp direction: ingress port_range_min: 80 port_range_max: 80 description: "Ingress HTTP" - protocol: tcp direction: ingress port_range_min: 443 port_range_max: 443 description: "Ingress HTTPS" - protocol: tcp direction: ingress port_range_min: 1936 port_range_max: 1936 remote_ip_prefix: "{{ ocp_network_subnet_cidr }}" description: "router stats" - protocol: udp direction: ingress port_range_min: 4789 port_range_max: 4789 remote_group: "master_sg" description: "VXLAN from master" - protocol: udp direction: ingress port_range_min: 4789 port_range_max: 4789 remote_group: "worker_sg" description: "VXLAN" - protocol: udp direction: ingress port_range_min: 6081 port_range_max: 6081 remote_group: "master_sg" description: "Geneve from master" - protocol: udp direction: ingress port_range_min: 6081 port_range_max: 6081 remote_group: "worker_sg" description: "Geneve" - protocol: tcp direction: ingress port_range_min: 9000 port_range_max: 9999 remote_group: "worker_sg" description: "Worker ingress internal (tcp)" - protocol: tcp direction: ingress port_range_min: 9000 port_range_max: 9999 remote_group: "master_sg" description: "Worker ingress from master (tcp)" - protocol: udp direction: ingress port_range_min: 9000 port_range_max: 9999 remote_group: "master_sg" description: "Worker ingress from master (udp)" - protocol: udp direction: ingress port_range_min: 9000 port_range_max: 9999 remote_group: "worker_sg" description: "Worker ingress internal (udp)" - protocol: tcp direction: ingress port_range_min: 10250 port_range_max: 10250 remote_group: "master_sg" description: "master ingress kubelet secure from master" - protocol: tcp direction: ingress port_range_min: 10250 port_range_max: 10250 remote_group: "worker_sg" description: "master ingress kubelet secure" - protocol: tcp direction: ingress port_range_min: 30000 port_range_max: 32767 remote_group: "worker_sg" description: "worker ingress services (tcp)" - protocol: udp direction: ingress port_range_min: 30000 port_range_max: 32767 remote_group: "worker_sg" description: "worker ingress services (udp)" - protocol: vrrp direction: ingress remote_ip_prefix: "{{ ocp_network_subnet_cidr }}" description: "VRRP"