--- - name: Step 00xxxxx post software hosts: support gather_facts: False become: yes vars_files: - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" tasks: - name: Create user vols shell: "mkdir -p /srv/nfs/user-vols/vol{1..{{user_vols}}}" - name: chmod the user vols shell: "chmod -R 777 /srv/nfs/user-vols" - name: Step 00xxxxx post software hosts: bastions run_once: true gather_facts: False become: yes vars_files: - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" roles: - role: "{{ ANSIBLE_REPO_PATH }}/roles/openshift-ansible-broker" tasks: - name: get nfs Hostname set_fact: nfs_host: "{{ groups['support']|sort|first }}" - set_fact: pv_size: '10Gi' pv_list: "{{ ocp_pvs }}" persistentVolumeReclaimPolicy: Retain - name: Generate PV file template: src: "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/files/pvs.j2" dest: "/root/pvs-{{ env_type }}-{{ guid }}.yml" tags: [ gen_pv_file ] when: pv_list.0 is defined - set_fact: pv_size: "{{user_vols_size}}" persistentVolumeReclaimPolicy: Recycle notify: restart nfs services run_once: True - name: Generate user vol PV file template: src: "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/files/userpvs.j2" dest: "/root/userpvs-{{ env_type }}-{{ guid }}.yml" tags: - gen_user_vol_pv - shell: 'oc create -f /root/pvs-{{ env_type }}-{{ guid }}.yml || oc replace -f /root/pvs-{{ env_type }}-{{ guid }}.yml' tags: - create_user_pv when: pv_list.0 is defined - shell: 'oc create -f /root/userpvs-{{ env_type }}-{{ guid }}.yml || oc replace -f /root/userpvs-{{ env_type }}-{{ guid }}.yml' tags: - create_user_pv - name: For CNS change default storage class to glusterfs-storage hosts: masters run_once: true become: yes gather_facts: False vars_files: - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" tags: - env-specific - env-specific_infra tasks: - name: Set glusterfs-storage class to default when: install_glusterfs|bool shell: "oc patch storageclass glusterfs-storage -p '{\"metadata\": {\"annotations\": \ {\"storageclass.kubernetes.io/is-default-class\": \"true\"}}}'" - name: Remove default from glusterfs-storage-block class when: install_glusterfs|bool shell: "oc patch storageclass glusterfs-block -p '{\"metadata\": {\"annotations\": \ {\"storageclass.kubernetes.io/is-default-class\": \"false\"}}}'" - name: Configure Bastion for CF integration hosts: bastions become: yes gather_facts: False vars_files: - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/mgr_users.yml" - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml" tags: - env-specific - cf_integration - opentlc_integration roles: - role: "{{ ANSIBLE_REPO_PATH }}/roles/opentlc-integration" when: install_opentlc_integration no_log: yes tasks: - name: Copy /root/.kube to ~opentlc-mgr/ command: "cp -rf /root/.kube /home/opentlc-mgr/" when: install_opentlc_integration == true - name: set permission for .kube when: install_opentlc_integration == true file: path: /home/opentlc-mgr/.kube owner: opentlc-mgr group: opentlc-mgr recurse: yes # sssd bug, fixed by restart - name: restart sssd service: name: sssd state: restarted when: install_ipa_client register: sssd_restart_result retries: 6 delay: 10 until: sssd_restart_result is succeeded - name: env-specific infrastructure hosts: masters run_once: true become: yes gather_facts: False vars_files: - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" tags: - env-specific - env-specific_infra tasks: - name: Command to enable the wildcard routes in the OCP cluster for 3scale shell: "oc set env dc/router ROUTER_ALLOW_WILDCARD_ROUTES=true -n default" - name: Give administrative user cluster-admin privileges command: "oc adm policy add-cluster-role-to-user cluster-admin {{ admin_user }}" - name: Check for admin_project project command: "oc get project {{admin_project}}" register: result changed_when: false ignore_errors: true - name: Create admin_project project command: "oc adm new-project {{admin_project}} --admin {{admin_user}} --node-selector='env=infra'" when: result | failed - name: Make admin_project project network global command: "oc adm pod-network make-projects-global {{admin_project}}" when: 'ovs_plugin == "multitenant"' - name: Set admin_project SCC for anyuid command: "oc adm policy add-scc-to-group anyuid system:serviceaccounts:{{admin_project}}" - name: Add capabilities within anyuid which is not really ideal command: "oc patch scc/anyuid --patch '{\"requiredDropCapabilities\":[\"MKNOD\",\"SYS_CHROOT\"]}'" ignore_errors: true - name: Set Node Selector to empty for project openshift-template-service-broker shell: oc annotate namespace openshift-template-service-broker openshift.io/node-selector="" --overwrite ignore_errors: true when: - osrelease | version_compare('3.7', '>=') - name: Remove all users from self-provisioners group hosts: masters run_once: true become: yes gather_facts: False vars_files: - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" tags: [ env-specific, remove_self_provisioners ] tasks: - name: Set clusterRoleBinding auto-update to false command: oc annotate -n default --overwrite clusterrolebinding.rbac self-provisioners rbac.authorization.kubernetes.io/autoupdate=false when: remove_self_provisioners - name: Remove system:authenticated from self-provisioner role shell: "oadm policy remove-cluster-role-from-group self-provisioner system:authenticated system:authenticated:oauth" ignore_errors: true when: remove_self_provisioners - name: create our own OPENTLC-PROJECT-PROVISIONERS shell: "oadm groups new OPENTLC-PROJECT-PROVISIONERS" ignore_errors: true when: remove_self_provisioners - name: allow OPENTLC-PROJECT-PROVISIONERS members to provision their own projects shell: "oadm policy add-cluster-role-to-group self-provisioner OPENTLC-PROJECT-PROVISIONERS" when: remove_self_provisioners - name: Project Request Template hosts: masters gather_facts: False become: yes vars_files: - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" tags: - env-specific - project_request tasks: - name: Copy project request template to master copy: src: ./files/project-template.yml dest: /root/project-template.yml - name: Check for project request template command: "oc get template project-request -n default" register: request_template ignore_errors: true - name: Create project request template in default project shell: "oc create -f /root/project-template.yml -n default || oc replace -f /root/project-template.yml -n default" when: request_template | failed - name: Update master config file to use project request template lineinfile: regexp: " projectRequestTemplate" dest: "/etc/origin/master/master-config.yaml" line: ' projectRequestTemplate: "default/project-request"' state: present register: master_config - name: Add Project request message replace: dest: '/etc/origin/master/master-config.yaml' regexp: 'projectRequestMessage.*' replace: "projectRequestMessage: '{{project_request_message}}'" backup: yes - name: Restart master service service: name: atomic-openshift-master-api state: restarted when: - master_config.changed - osrelease | version_compare('3.7', '>=') - name: Restart master service service: name: atomic-openshift-master state: restarted when: - master_config.changed - osrelease | version_compare('3.7', '<') - name: node admin configs hosts: nodes gather_facts: False become: yes vars_files: - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" tags: - env-specific - env_specific_images tasks: - name: 'Pull image' command: "docker pull {{ item }}" with_items: '{{ env_specific_images }}' when: env_specific_images.0 is defined - name: Import jenkins images for OCP 3.7 and newer hosts: masters run_once: true become: yes gather_facts: False vars_files: - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" tags: - env-specific - env_specific_images tasks: - name: tag jenkins command: oc tag --source=docker registry.access.redhat.com/openshift3/jenkins-2-rhel7:v{{ repo_version }} openshift/jenkins:v{{ repo_version }} -n openshift when: osrelease | version_compare('3.7', '>=') ignore_errors: true - name: tag jenkins command: oc tag openshift/jenkins:v{{ repo_version }} openshift/jenkins:latest -n openshift register: octag_result when: osrelease | version_compare('3.7', '>=') retries: 5 delay: 2 until: octag_result|succeeded ignore_errors: true - name: Fix NFS PV Recycling for OCP 3.7 and newer gather_facts: False become: yes hosts: - nodes - infranodes - masters tasks: - name: Pull ose-recycler Image command: docker pull registry.access.redhat.com/openshift3/ose-recycler:latest register: pullr retries: 5 delay: 10 until: pullr|succeeded when: osrelease | version_compare('3.7', '>=') - name: Tag ose-recycler Image command: "docker tag registry.access.redhat.com/openshift3/ose-recycler:latest registry.access.redhat.com/openshift3/ose-recycler:v{{ osrelease }}" when: osrelease | version_compare('3.7', '>=') - name: Fix CRI-O Garbage Collection DaemonSet for OCP 3.9 and newer gather_facts: False become: yes hosts: masters run_once: true vars_files: - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" tasks: - name: Patch dockergc DaemonSet shell: "oc patch daemonset dockergc --patch='\"spec\": { \"template\": { \"spec\": { \"containers\": [ { \"command\": [ \"/usr/bin/oc\" ], \"name\": \"dockergc\" } ] } } }' -n default" ignore_errors: true when: - osrelease | version_compare('3.9', '>=') - container_runtime == "cri-o" - name: Redeploy dockergc DaemonSet pods shell: "oc delete pod $(oc get pods -n default|grep dockergc|awk -c '{print $1}') -n default" when: - osrelease | version_compare('3.9', '>=') - container_runtime == "cri-o" # Install OpenWhisk - name: Install OpenWhisk hosts: masters run_once: true gather_facts: False become: yes vars_files: - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" tags: - env-specific - install_openwhisk tasks: - import_role: name: "{{ ANSIBLE_REPO_PATH }}/roles/install-openwhisk" when: - install_openwhisk|bool # Set up Prometheus/Node Exporter/Alertmanager/Grafana # on the OpenShift Cluster - name: Install Prometheus and Grafana gather_facts: False become: yes hosts: - nodes - infranodes - masters - bastions vars_files: - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml" tags: - install_prometheus tasks: - import_role: name: "{{ ANSIBLE_REPO_PATH }}/roles/install-prometheus" when: install_prometheus|bool - name: Install Nexus hosts: masters run_once: true gather_facts: False become: yes vars_files: - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" roles: - { role: "{{ ANSIBLE_REPO_PATH }}/roles/install-nexus", desired_project: "{{admin_project}}", nexus_version: "3" } tags: - env-specific - install_nexus - name: Install AWS Broker hosts: masters run_once: true gather_facts: False become: yes vars_files: - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" tags: - env-specific - install_aws_broker tasks: - import_role: name: "{{ ANSIBLE_REPO_PATH }}/roles/install-aws-broker" when: - install_aws_broker|bool - name: Zabbix for masters hosts: masters gather_facts: true become: yes vars_files: - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml" vars: zabbix_auto_registration_keyword: OCP Master roles: - role: "{{ ANSIBLE_REPO_PATH }}/roles/zabbix-client" when: install_zabbix - role: "{{ ANSIBLE_REPO_PATH }}/roles/zabbix-client-openshift-master" when: install_zabbix - role: "{{ ANSIBLE_REPO_PATH }}/roles/zabbix-client-openshift-node" when: install_zabbix tags: - env-specific - install_zabbix - name: Zabbix for nodes hosts: - nodes - infranodes gather_facts: true become: yes vars_files: - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml" vars: zabbix_auto_registration_keyword: OCP Node zabbix_token: "{{ hostvars[groups['masters'][0]].zabbix_token }}" hawkular_route: "{{ hostvars[groups['masters'][0]].hawkular_route }}" roles: - role: "{{ ANSIBLE_REPO_PATH }}/roles/zabbix-client" when: install_zabbix - role: "{{ ANSIBLE_REPO_PATH }}/roles/zabbix-client-openshift-node" when: install_zabbix tags: - env-specific - install_zabbix - name: Zabbix for all other hosts (bastion, support, ...) hosts: - bastions - support gather_facts: true become: yes vars_files: - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml" vars: zabbix_auto_registration_keyword: OCP Host roles: - role: "{{ ANSIBLE_REPO_PATH }}/roles/zabbix-client" when: install_zabbix tags: - env-specific - install_zabbix - name: PostSoftware flight-check hosts: localhost connection: local gather_facts: false become: false vars_files: - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml" tags: - post_flight_check tasks: - debug: msg: "Post-Software checks completed successfully" - name: Gather facts hosts: - all vars_files: - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml" gather_facts: true tags: - ocp_report - name: Generate reports hosts: localhost connection: local become: false vars_files: - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_vars.yml" - "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/env_secret_vars.yml" tags: - ocp_report vars: env_all_hosts: all tasks: - name: get repo version used to deploy command: git rev-parse HEAD args: chdir: "{{ ANSIBLE_REPO_PATH }}" register: ansible_agnostic_deployer_head - name: Gather ec2 facts ec2_remote_facts: aws_access_key: "{{ aws_access_key_id }}" aws_secret_key: "{{ aws_secret_access_key }}" region: "{{ aws_region }}" when: - ocp_report - cloud_provider == 'ec2' - name: Generate report template: src: "{{ ANSIBLE_REPO_PATH }}/configs/{{ env_type }}/files/ocp_report.adoc.j2" dest: "{{ ANSIBLE_REPO_PATH }}/workdir/ocp_report_{{ env_type }}-{{ guid }}.adoc" when: - ocp_report - cloud_provider == 'ec2'