--- - name: Step 00xxxxx post software hosts: bastions become: no gather_facts: False environment: KUBECONFIG: /home/{{ remote_user }}/{{ cluster_name }}/auth/kubeconfig tasks: - debug: msg: "Post-Software Steps starting" - name: Configure Bastion for CF integration hosts: bastions become: yes gather_facts: False tags: - env-specific - cf_integration - opentlc_integration tasks: - when: install_opentlc_integration|bool block: - name: Include mgr_users vars include_vars: file: mgr_users.yml - name: Configure Bastion include_role: name: opentlc-integration vars: no_log: yes - name: Configure opentlc-mgr, root and {{ remote_user }} when OpenShift installed when: - install_ocp4 | d(False) | bool block: - name: Create .kube for opentlc-mgr user file: path: /home/opentlc-mgr/.kube state: directory owner: opentlc-mgr group: opentlc-mgr - name: Copy /home/{{ remote_user }}/{{ cluster_name }}/auth/kubeconfig to ~opentlc-mgr copy: src: /home/{{ remote_user }}/{{ cluster_name }}/auth/kubeconfig dest: /home/opentlc-mgr/.kube/config remote_src: yes owner: opentlc-mgr group: opentlc-mgr mode: 0600 - name: Set up Student User when: install_student_user | bool block: - name: Create .kube for {{ student_name }} user file: path: /home/{{ student_name }}/.kube state: directory owner: "{{ student_name }}" - name: Copy /home/{{ remote_user }}/{{ cluster_name }}/auth/kubeconfig to ~{{ student_name }} copy: src: /home/{{ remote_user }}/{{ cluster_name }}/auth/kubeconfig dest: /home/{{ student_name }}/.kube/config remote_src: yes owner: "{{ student_name }}" mode: 0600 - name: Setup mount bind for cluster directory become: yes mount: path: /home/{{ student_name }}/{{ cluster_name }} src: /home/{{ remote_user }}/{{ cluster_name }} fstype: none opts: defaults,bind,ro state: mounted - name: Create OpenShift Bash completion file shell: oc completion bash >/etc/bash_completion.d/openshift - name: Configure bashrc to include KUBECONFIG shell: "echo export KUBECONFIG=/home/{{ remote_user }}/{{ cluster_name }}/auth/kubeconfig >> /home/{{ remote_user }}/.bashrc" - name: Set up Authentication hosts: bastions become: False gather_facts: False run_once: true tags: - env-specific - setup-authentication tasks: - when: - install_ocp4 | d(False) | bool - install_idm is defined environment: KUBECONFIG: "{{ cluster_name }}/auth/kubeconfig" block: - name: Set up htpasswd when: - install_idm == "htpasswd" block: - name: Generate htpasswd hash for user_password shell: >- htpasswd -nb "userN" "{{ user_password }}"|cut -d: -f2 register: htpasswd_line when: - user_password is defined - user_password_hash is not defined - name: Set fact user_password_hash set_fact: user_password_hash: "{{ htpasswd_line.stdout }}" when: - user_password is defined - user_password_hash is not defined - htpasswd_line is succeeded - name: Generate htpasswd hash for admin user shell: >- htpasswd -nb "admin" "{{ admin_password }}"|cut -d: -f2 register: htpasswd_line when: - admin_password_hash is not defined - admin_password is defined - name: Set fact admin_password_hash set_fact: admin_password_hash: "{{ htpasswd_line.stdout }}" when: - admin_password is defined - admin_password_hash is not defined - htpasswd_line is succeeded - name: Set fact user_count set_fact: user_count: 200 when: - user_count is not defined - name: Generate htpasswd file template: src: "./files/htpasswd.j2" dest: "/home/{{ ansible_user }}/users.htpasswd" owner: "{{ ansible_user }}" mode: 0664 - name: Upload OAuth Configuration File copy: src: "./files/oauth-htpasswd.yaml" dest: "/home/{{ ansible_user }}/oauth-htpasswd.yaml" owner: "{{ ansible_user }}" mode: 0664 - name: Create htpasswd Secret command: oc create secret generic htpasswd-secret -n openshift-config --from-file=htpasswd=$HOME/users.htpasswd ignore_errors: true - name: Update OAuth Configuration shell: "oc apply -f /home/{{ ansible_user }}/oauth-htpasswd.yaml" - name: Set up OpenTLC LDAP when: - install_idm == "ldap" block: - name: Check for LDAP Bind Password fail: msg: LDAP Authentication is configured but LDAP BindPassword (bindPassword) is not defined. when: bindPassword is not defined - name: Get IPA CA Cert get_url: url: "{{ idm_ca_url }}" dest: "/home/{{ ansible_user }}/ipa-ca.crt" mode: 0660 - name: Create IPA CA Cert ConfigMap shell: "oc create configmap opentlc-ldap-ca-cert --from-file=ca.crt=/home/{{ ansible_user }}/ipa-ca.crt -n openshift-config" ignore_errors: true - name: Create LDAP Bind Password Secret shell: "oc create secret generic opentlc-ldap-secret --from-literal=bindPassword=\"{{ bindPassword }}\" -n openshift-config" ignore_errors: true - name: Upload OAuth Configuration File copy: src: "./files/oauth-opentlc-ldap.yaml" dest: "/home/{{ ansible_user }}/oauth-opentlc-ldap.yaml" owner: "{{ ansible_user }}" mode: 0664 - name: Update OAuth Configuration shell: "oc apply -f /home/{{ ansible_user }}/oauth-opentlc-ldap.yaml" - name: Set up Admin User when: admin_user is defined shell: "oc adm policy add-cluster-role-to-user cluster-admin {{ admin_user }}" # try for 5 minutes retries: 30 delay: 10 register: r_setup_admin_user until: r_setup_admin_user is succeeded - name: Remove kubeadmin User when: - admin_user is defined - install_idm != "none" - auth_remove_kubeadmin command: oc delete secret kubeadmin -n kube-system ignore_errors: true - name: PostSoftware flight-check hosts: bastions run_once: yes gather_facts: false become: false tags: - post_flight_check tasks: - when: - install_ocp4 | d(False) | bool environment: KUBECONFIG: "{{ cluster_name }}/auth/kubeconfig" ignore_errors: yes block: - name: Get API for command line command: oc whoami --show-server register: showserver - when: webconsole is not defined block: - name: Get console route command: oc get route -n openshift-console console -o json register: routeconsole retries: 10 delay: 30 until: routeconsole is succeeded ignore_errors: yes - name: Set webconsole address set_fact: webconsole: "http://{{ routeconsole.stdout | from_json | json_query('spec.host') }}" when: routeconsole is succeeded - name: Check DNS webconsole command: nslookup "{{ webconsole | urlsplit('hostname') }}" register: checkdnswebconsole changed_when: false retries: 15 until: checkdnswebconsole is succeeded delay: 30 - name: Check DNS API command: nslookup "{{ showserver.stdout | trim | urlsplit('hostname') }}" register: checkdnsapi changed_when: false - name: Webconsole uri: url: "{{ webconsole }}" validate_certs: no register: testwebconsole retries: 5 until: testwebconsole is succeeded delay: 60 - name: Cluster-info command: oc cluster-info register: clusterinfor changed_when: false - name: Create project command: oc new-project postflightcheck register: newproject - name: New-app command: oc new-app cakephp-mysql-persistent -n postflightcheck register: newapp - name: Wait for mysql command: timeout 300 oc rollout status dc/mysql -w -n postflightcheck register: mysqlw changed_when: false - name: Wait for php command: timeout 300 oc rollout status dc/cakephp-mysql-persistent -w -n postflightcheck register: phpw changed_when: false retries: 2 delay: 60 until: phpw is succeeded - name: Get route command: >- oc get route -l template=cakephp-mysql-persistent --no-headers -o json -n postflightcheck register: getroute changed_when: false retries: 10 delay: 5 until: getroute is succeeded - name: Test that route is reachable uri: url: "http://{{ getroute.stdout|from_json|json_query('items[0].spec.host') }}" register: testroute retries: 15 delay: 5 until: testroute is succeeded - name: Delete project command: oc delete project postflightcheck - name: Switch back to default project command: oc project default - debug: msg: "{{ item }}" loop: - "user.info: " - "user.info: Post Flight Check" - "user.info: DNS Web Console ............... {{ 'OK' if checkdnswebconsole.rc == 0 else 'FAIL' }}" - "user.info: DNS API ....................... {{ 'OK' if checkdnsapi.rc == 0 else 'FAIL' }}" - "user.info: Web console ................... {{ 'OK' if testwebconsole is succeeded else 'FAIL' }}" - "user.info: API ........................... {{ 'OK' if clusterinfor.rc == 0 else 'FAIL' }}" - "user.info: Create Project with PV ........ {{ 'OK' if newproject.rc == 0 else 'FAIL' }}" - "user.info: App deployed .................. {{ 'OK' if phpw.rc == 0 and mysqlw.rc == 0 else 'FAIL' }}" - "user.info: Route ......................... {{ 'OK' if testroute is succeeded else 'FAIL' }}" - when: - smoke_tests | bool - >- checkdnswebconsole.rc != 0 or checkdnsapi.rc != 0 or testwebconsole is failed or clusterinfor.rc != 0 or newproject.rc != 0 or phpw.rc != 0 or mysqlw.rc != 0 or testroute is failed fail: msg: "FAIL Smoke tests" ignore_errors: no - name: Deploy Default, Infra and Student Workloads import_playbook: ocp_workloads.yml - name: Enable Cluster Shutdown and Resume hosts: bastions run_once: yes gather_facts: false become: false tags: - enable_shutdown tasks: - when: - install_ocp4 | d(False) | bool environment: KUBECONFIG: "{{ cluster_name }}/auth/kubeconfig" ignore_errors: yes block: - name: Create Daemon Set to renew Bootstrap Credentials k8s: state: present merge_type: - strategic-merge - merge definition: "{{ lookup('file', './files/kubelet-bootstrap-cred-manager-ds.yaml' ) | from_yaml }}" - name: Delete initial Bootstrap Secrets to force regeneration k8s: state: absent api_version: v1 kind: Secret name: "{{ item }}" namespace: openshift-kube-controller-manager-operator loop: - "csr-signer-signer" - "csr-signer" # The next tasks are to fix the bug fixed in https://github.com/openshift/cluster-kube-controller-manager-operator/pull/305 # Also the operator dealing with prometheus adapters doesn't watch the certificates. # Need to force it to reconcile - name: Wait 15 seconds before next command pause: seconds: 15 - name: Get Config Map Definition shell: oc get configmap extension-apiserver-authentication -n kube-system -o yaml >/tmp/extension-apiserver-authentication.yaml - name: Add an empty line to config map file lineinfile: path: /tmp/extension-apiserver-authentication.yaml firstmatch: true insertafter: '-----END CERTIFICATE-----' line: '' - name: Update Config Map with new file k8s: state: present src: /tmp/extension-apiserver-authentication.yaml - name: Tell CloudForms we are done hosts: bastions run_once: yes gather_facts: false become: false tasks: - name: Retrieve cluster UUID block: - name: Get kubeadmin password slurp: path: /home/{{ ansible_user }}/{{ cluster_name }}/auth/kubeadmin-password register: kubeadminr - name: Get Cluster ID environment: KUBECONFIG: /home/{{ ansible_user }}/{{ cluster_name }}/auth/kubeconfig command: oc get clusterversion version -o jsonpath="{.spec.clusterID}" register: clusteridr - name: Set cluster id set_fact: cluster_id: "{{ clusteridr.stdout | trim }}" - name: Report provisioning status include_role: name: status-report vars: classroom_status: "Classroom ready" status_json: "{{ lookup('template', 'report.j2') }}" bastion_dns_name: "bastion{{ guid }}{{ subdomain_base_suffix }}" when: report_status | d(false) - debug: msg: "Post-Software checks completed successfully"