From 037d4931b4e7db60533d710ca8a06dabe5f5ecbb Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Wed, 12 Jul 2017 16:14:20 -0500 Subject: [PATCH] add osbs orchestrator/worker playbooks/roles Signed-off-by: Adam Miller Signed-off-by: Adam Miller --- inventory/group_vars/all | 13 +- inventory/group_vars/osbs | 5 + inventory/group_vars/osbs-masters-stg | 14 - inventory/group_vars/osbs-nodes-stg | 14 - inventory/group_vars/osbs-orchestrators-stg | 34 + inventory/group_vars/osbs-stg | 101 +++ .../group_vars/osbsworker-x86-64-masters-stg | 10 + .../group_vars/osbsworker-x86-64-nodes-stg | 9 + inventory/inventory | 22 +- playbooks/groups/osbs-cluster.yml | 8 +- .../groups/osbs-orchestrator-cluster.yml | 657 ++++++++++++++++++ .../templates/cluster-inventory.j2 | 11 +- roles/openshift-prerequisites/README.md | 34 + .../openshift-prerequisites/defaults/main.yml | 14 + roles/openshift-prerequisites/meta/main.yml | 13 + roles/openshift-prerequisites/tasks/main.yml | 23 + roles/osbs-namespace/README.md | 138 ++++ roles/osbs-namespace/defaults/main.yml | 41 ++ roles/osbs-namespace/meta/main.yml | 12 + roles/osbs-namespace/tasks/main.yml | 192 +++++ roles/osbs-namespace/tasks/orchestrator.yml | 18 + .../templates/client-config-secret.conf.j2 | 53 ++ .../templates/openshift-limitrange.yml.j2 | 10 + .../templates/openshift-rolebinding.v1.yml.j2 | 19 + .../templates/openshift-rolebinding.v2.yml.j2 | 29 + .../templates/openshift-serviceaccount.yml.j2 | 5 + .../templates/reactor-config-secret.yml.j2 | 13 + .../templates/role-osbs-custom-build.yml.j2 | 10 + .../tests/files/dedicated-project-admin.yaml | 36 + .../files/expected-client-config-secret.conf | 49 ++ .../tests/group_vars/masters.yml | 17 + roles/osbs-namespace/tests/test-inventory | 2 + roles/osbs-namespace/tests/test.yml | 313 +++++++++ roles/osbs-secret/README.md | 70 ++ roles/osbs-secret/defaults/main.yml | 17 + roles/osbs-secret/handlers/main.yml | 22 + roles/osbs-secret/meta/main.yml | 21 + roles/osbs-secret/tasks/main.yml | 40 ++ .../templates/openshift-secret.yml.j2 | 10 + 39 files changed, 2066 insertions(+), 53 deletions(-) create mode 100644 inventory/group_vars/osbs-orchestrators-stg create mode 100644 inventory/group_vars/osbsworker-x86-64-masters-stg create mode 100644 inventory/group_vars/osbsworker-x86-64-nodes-stg create mode 100644 playbooks/groups/osbs-orchestrator-cluster.yml create mode 100644 roles/openshift-prerequisites/README.md create mode 100644 roles/openshift-prerequisites/defaults/main.yml create mode 100644 roles/openshift-prerequisites/meta/main.yml create mode 100644 roles/openshift-prerequisites/tasks/main.yml create mode 100644 roles/osbs-namespace/README.md create mode 100644 roles/osbs-namespace/defaults/main.yml create mode 100644 roles/osbs-namespace/meta/main.yml create mode 100644 roles/osbs-namespace/tasks/main.yml create mode 100644 roles/osbs-namespace/tasks/orchestrator.yml create mode 100644 roles/osbs-namespace/templates/client-config-secret.conf.j2 create mode 100644 roles/osbs-namespace/templates/openshift-limitrange.yml.j2 create mode 100644 roles/osbs-namespace/templates/openshift-rolebinding.v1.yml.j2 create mode 100644 roles/osbs-namespace/templates/openshift-rolebinding.v2.yml.j2 create mode 100644 roles/osbs-namespace/templates/openshift-serviceaccount.yml.j2 create mode 100644 roles/osbs-namespace/templates/reactor-config-secret.yml.j2 create mode 100644 roles/osbs-namespace/templates/role-osbs-custom-build.yml.j2 create mode 100644 roles/osbs-namespace/tests/files/dedicated-project-admin.yaml create mode 100644 roles/osbs-namespace/tests/files/expected-client-config-secret.conf create mode 100644 roles/osbs-namespace/tests/group_vars/masters.yml create mode 100644 roles/osbs-namespace/tests/test-inventory create mode 100644 roles/osbs-namespace/tests/test.yml create mode 100644 roles/osbs-secret/README.md create mode 100644 roles/osbs-secret/defaults/main.yml create mode 100644 roles/osbs-secret/handlers/main.yml create mode 100644 roles/osbs-secret/meta/main.yml create mode 100644 roles/osbs-secret/tasks/main.yml create mode 100644 roles/osbs-secret/templates/openshift-secret.yml.j2 diff --git a/inventory/group_vars/all b/inventory/group_vars/all index 9b71063dab..f79f3602f7 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -226,17 +226,6 @@ csi_relationship: | To update this text, add the csi_* vars to group_vars/ in ansible. - -# docker images required by OpenShift Origin -openshift_required_images: - - "openshift/origin-pod" - -# docker images required by OSBS for builds -fedora_required_images: - - "fedora:24" - - "fedora:25" - - "fedora:latest" - # # say if we want the apache role dependency for mod_wsgi or not # In some cases we want mod_wsgi and no apache (for python3 httpaio stuff) @@ -265,7 +254,7 @@ vpn: False createrepo: True # Nagios global variables -nagios_Check_Services: +nagios_Check_Services: nrpe: true sshd: true named: false diff --git a/inventory/group_vars/osbs b/inventory/group_vars/osbs index ea03d3700e..b79c83c8da 100644 --- a/inventory/group_vars/osbs +++ b/inventory/group_vars/osbs @@ -21,3 +21,8 @@ koji_url: "koji.fedoraproject.org" osbs_client_conf_path: /etc/osbs.conf baseiptables: False + +# docker images required by OpenShift Origin +openshift_required_images: + - "openshift/origin-pod" + diff --git a/inventory/group_vars/osbs-masters-stg b/inventory/group_vars/osbs-masters-stg index c1e595cf37..629928e5ba 100644 --- a/inventory/group_vars/osbs-masters-stg +++ b/inventory/group_vars/osbs-masters-stg @@ -6,19 +6,5 @@ num_cpus: 2 tcp_ports: [ 80, 443, 8443] -fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran -sudoers: "{{ private }}/files/sudo/00releng-sudoers" - -docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org" -source_registry: "registry.stg.fedoraproject.org" -docker_registry: "candidate-registry.stg.fedoraproject.org" - -osbs_url: "osbs.stg.fedoraproject.org" -osbs_koji_username: "kojibuilder_stg" - -koji_url: "koji.stg.fedoraproject.org" - -osbs_client_conf_path: /etc/osbs.conf - openshift_node_labels: {'region':'infra'} openshift_schedulable: False diff --git a/inventory/group_vars/osbs-nodes-stg b/inventory/group_vars/osbs-nodes-stg index 4bf8de294e..54de320771 100644 --- a/inventory/group_vars/osbs-nodes-stg +++ b/inventory/group_vars/osbs-nodes-stg @@ -6,18 +6,4 @@ num_cpus: 2 tcp_ports: [ 80, 443, 8443, 10250] -fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran -sudoers: "{{ private }}/files/sudo/00releng-sudoers" - -docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org" -source_registry: "registry.stg.fedoraproject.org" -docker_registry: "candidate-registry.stg.fedoraproject.org" - -osbs_url: "osbs.stg.fedoraproject.org" -osbs_koji_username: "kojibuilder_stg" - -koji_url: "koji.stg.fedoraproject.org" - -osbs_client_conf_path: /etc/osbs.conf - openshift_node_labels: {'region': 'primary', 'zone': 'default'} diff --git a/inventory/group_vars/osbs-orchestrators-stg b/inventory/group_vars/osbs-orchestrators-stg new file mode 100644 index 0000000000..99b8ab768f --- /dev/null +++ b/inventory/group_vars/osbs-orchestrators-stg @@ -0,0 +1,34 @@ +--- +osbs_manage_firewalld: false +osbs_namespace: "osbs" +# Allow 'oc' command to find its configuration file +osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig +osbs_environment: + HOME: "{{ lookup('env', 'HOME') }}" + KUBECONFIG: "{{ osbs_kubeconfig_path }}" +osbs_service_accounts: +- koji +- metrics +osbs_readonly_users: +- "system:serviceaccount:{{ osbs_namespace }}:metrics" +osbs_readonly_groups: +- "system:authenticated" +osbs_readwrite_groups: [] +osbs_readwrite_users: +- "{{ ansible_hostname }}" +- "system:serviceaccount:{{ osbs_namespace }}:default" +- "system:serviceaccount:{{ osbs_namespace }}:builder" +osbs_admin_users: +- kevin +- puiterwijk +- maxamillion +- dgilmore +osbs_admin_groups: [] +env: prod +osbs_ha_install: true +osbs_nodes: "{{ groups['osbs-orchestrator-' + env + '-nodes'] }}" + + +#nodeselectors +osbs_orchestrator_default_nodeselector: "orchestrator=true" +osbs_worker_default_nodeselector: "worker=true" diff --git a/inventory/group_vars/osbs-stg b/inventory/group_vars/osbs-stg index 2e3e4d513d..c4d8f8ae5a 100644 --- a/inventory/group_vars/osbs-stg +++ b/inventory/group_vars/osbs-stg @@ -1,2 +1,103 @@ --- + baseiptables: False + +fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran +sudoers: "{{ private }}/files/sudo/00releng-sudoers" + +docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org" +stable_registry: "registry.stg.fedoraproject.org" +candidate_registry: "candidate-registry.stg.fedoraproject.org" + +osbs_url: "osbs.stg.fedoraproject.org" +osbsworker_x86_64_url: "osbsworker-x86-64.stg.fedoraproject.org" + +koji_url: "koji.stg.fedoraproject.org" + +osbs_builder_user: builder +koji_builder_user: dockerbuilder + +osbs_client_conf_path: /etc/osbs.conf + +openshift_htpasswd_file: /etc/origin/htpasswd +openshift_ansible_version: openshift-ansible-3.5.97-1 +openshift_ansible_ssh_user: root +openshift_ansible_install_examples: false +openshift_ansible_containerized_deploy: false +openshift_auth_profile: osbs +origin_release: v1.5.1 +openshift_debug_level: 2 + +osbs_namespace: "osbs" +osbs_koji_username: "kojibuilder_stg" + +osbs_openshift_home: /var/lib/origin +osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig +osbs_generated_config_path: /tmp + +osbs_environment: + KUBECONFIG: "{{ osbs_kubeconfig_path }}" + +osbs_is_admin: true + +osbs_service_accounts: +- worker +- orchestrator +- metrics + +osbs_cpu_limitrange: '200m' + +# FIXME +# I'm not sure who all should be admins and we might want some read-only user +# for the purpose of monitoring +osbs_admin_groups: [] +osbs_admin_users: [] +osbs_readonly_groups: [] +osbs_readonly_users: [] +osbs_readwrite_groups: [] +osbs_readwrite_users: [] + +osbs_orchestrator: false + +osbs_worker_namespace: "worker" + +osbs_worker_service_accounts: +- worker +- orchestrator + +osbs_worker_clusters: + x86_64: + - name: osbsworker-x86-64 + max_concurrent_builds: 12 + openshift_url: "https://{{ osbsworker_x86_64_url }}" + verify_ssl: 'false' + artifacts_allowed_domains: + - "{{stable_registry}}" + - "{{candidate_registry}}" + +osbs_koji_hub: "https://{{koji_url}}/kojihub +osbs_koji_root: https://{{koji_url}}/koji + +osbs_pulp_registry_name: brew-prod + +osbs_registry_uri: https://{{candidate_registry}}/v2 + +osbs_source_registry_uri: http://brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888 + +osbs_koji_secret_name: koji +osbs_distribution_scope: public +osbs_authoritative_registry: "{{ stable_registry }}" +osbs_registry_api_versions: +- v2 +osbs_registry_secret_name: v2-registry-dockercfg +osbs_registry_uri: '' +osbs_source_registry_uri: '' +osbs_build_json_dir: /usr/share/osbs +osbs_sources_command: fedpkg sources +osbs_vendor: Fedora Project + +#nodeselectors +osbs_orchestrator_default_nodeselector: "orchestrator=true" +osbs_worker_default_nodeselector: "worker=true" + + diff --git a/inventory/group_vars/osbsworker-x86-64-masters-stg b/inventory/group_vars/osbsworker-x86-64-masters-stg new file mode 100644 index 0000000000..629928e5ba --- /dev/null +++ b/inventory/group_vars/osbsworker-x86-64-masters-stg @@ -0,0 +1,10 @@ +--- +# Define resources for this group of hosts here. +lvm_size: 60000 +mem_size: 8192 +num_cpus: 2 + +tcp_ports: [ 80, 443, 8443] + +openshift_node_labels: {'region':'infra'} +openshift_schedulable: False diff --git a/inventory/group_vars/osbsworker-x86-64-nodes-stg b/inventory/group_vars/osbsworker-x86-64-nodes-stg new file mode 100644 index 0000000000..54de320771 --- /dev/null +++ b/inventory/group_vars/osbsworker-x86-64-nodes-stg @@ -0,0 +1,9 @@ +--- +# Define resources for this group of hosts here. +lvm_size: 60000 +mem_size: 8192 +num_cpus: 2 + +tcp_ports: [ 80, 443, 8443, 10250] + +openshift_node_labels: {'region': 'primary', 'zone': 'default'} diff --git a/inventory/inventory b/inventory/inventory index 3e8f7d1e7a..a489faba41 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -1333,16 +1333,16 @@ osbs-master01.phx2.fedoraproject.org [osbs-masters-stg] osbs-master01.stg.phx2.fedoraproject.org -[osbsworker-masters-stg] -#osbsworker-x86-64-master01.stg.phx2.fedoraproject.org +[osbsworker-x86-64-masters-stg] +osbsworker-x86-64-master01.stg.phx2.fedoraproject.org [osbs-nodes-stg] osbs-node01.stg.phx2.fedoraproject.org osbs-node02.stg.phx2.fedoraproject.org -[osbsworker-nodes-stg] -#osbsworker-x86-64-node01.stg.phx2.fedoraproject.org -#osbsworker-x86-64-node02.stg.phx2.fedoraproject.org +[osbsworker-x86-64-nodes-stg] +osbsworker-x86-64-node01.stg.phx2.fedoraproject.org +osbsworker-x86-64-node02.stg.phx2.fedoraproject.org [osbs:children] osbs-control @@ -1353,8 +1353,16 @@ osbs-masters osbs-control-stg osbs-nodes-stg osbs-masters-stg -osbsworker-nodes-stg -osbsworker-masters-stg +osbsworker-x86-64-nodes-stg +osbsworker-x86-64-masters-stg + +[osbs-orchestrators-stg:children] +osbs-nodes-stg +osbs-masters-stg + +[osbs-workers-stg:children] +osbsworker-x86-64-nodes-stg +osbsworker-x86-64-masters-stg [os-control-stg] os-control01.stg.phx2.fedoraproject.org diff --git a/playbooks/groups/osbs-cluster.yml b/playbooks/groups/osbs-cluster.yml index d1b5c01a6e..63bac6d496 100644 --- a/playbooks/groups/osbs-cluster.yml +++ b/playbooks/groups/osbs-cluster.yml @@ -1,9 +1,9 @@ # create an osbs server -- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs-control-stg:osbs-control" -- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs-nodes-stg:osbs-masters-stg:osbs-nodes:osbs-masters:osbsworker-nodes-stg:osbsworker-masters-stg" +- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs-control" +- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs-nodes:osbs-masters" - name: make the box be real - hosts: osbs-control:osbs-control-stg:osbs-masters-stg:osbs-nodes-stg:osbs-masters:osbs-nodes:osbsworker-nodes-stg:osbsworker-masters-stg + hosts: osbs-control:osbs-masters:osbs-nodes user: root gather_facts: True @@ -738,7 +738,7 @@ - name: Post-Install image stream refresh - hosts: osbs-masters-stg[0]:osbs-masters[0] + hosts: osbs-masters[0] tags: - osbs-post-install vars_files: diff --git a/playbooks/groups/osbs-orchestrator-cluster.yml b/playbooks/groups/osbs-orchestrator-cluster.yml new file mode 100644 index 0000000000..b800e10bbd --- /dev/null +++ b/playbooks/groups/osbs-orchestrator-cluster.yml @@ -0,0 +1,657 @@ +# create an osbs server +- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs-stg" + +- name: make the box be real + hosts: osbs-stg + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - base + - rkhunter + - nagios_client + - hosts + - fas_client + - collectd/base + - rsyncd + - sudo + + tasks: + - include: "{{ tasks_path }}/yumrepos.yml" + - include: "{{ tasks_path }}/2fa_client.yml" + - include: "{{ tasks_path }}/motd.yml" + + handlers: + - include: "{{ handlers_path }}/restart_services.yml" + +# Prepare the Control host to be able to run ansible-ansible-openshift-ansible +# against the Orchestration and Worker cluster machines +- name: OSBS control hosts pre-req setup + hosts: osbs-control-stg + tags: + - osbs-orchestrator-prereq + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + tasks: + - name: deploy private key to control hosts + copy: + src: "{{private}}/files/osbs/{{env}}/control_key" + dest: "/root/.ssh/id_rsa" + owner: root + mode: 0600 + + - name: set ansible to use pipelining + ini_file: + dest: /etc/ansible/ansible.cfg + section: ssh_connection + option: pipelining + value: "True" + + +# This section sets up the SSL Certs for "public facing" which is how Koji will +# interact with the OSBS Orchestration cluster. This is not needed on the worker +# clusters. +- name: Setup orchestrator cluster masters pre-reqs + hosts: osbs-masters-stg + tags: + - osbs-orchestrator-prereq + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + tasks: + - name: ensure origin conf dir exists + file: + path: "/etc/origin" + state: "directory" + + - name: create cert dir for openshift public facing REST API SSL + file: + path: "/etc/origin/master/named_certificates" + state: "directory" + + - name: install cert for openshift public facing REST API SSL + copy: + src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem" + dest: "/etc/origin/master/named_certificates/{{osbs_url}}.pem" + + - name: install key for openshift public facing REST API SSL + copy: + src: "{{private}}/files/osbs/{{env}}/osbs-internal.key" + dest: "/etc/origin/master/named_certificates/{{osbs_url}}.key" + + - name: place htpasswd file + copy: + src: "{{private}}/files/httpd/osbs-{{env}}.htpasswd" + dest: "{{ openshift_htpasswd_file }}" + + +# This installs required pre-reqs and deploys the Controler's public key to all +# machines in both the Orchestrator and Worker clusters in order to allow +# ansible-ansible-openshift-ansible to be run against them +- name: Setup cluster hosts pre-reqs + hosts: osbs-orchestrators-stg:osbs-workers-stg + tags: + - osbs-orchestrator-prereq + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + handlers: + - name: restart NetworkManager + service: + name: NetworkManager + state: restarted + + roles: + - role: openshift-prerequisites + + tasks: + - name: Install necessary packages that openshift-ansible needs + package: name="{{ item }}" state=installed + with_items: + - tar + - rsync + - dbus-python + - NetworkManager + - libselinux-python + - origin + + - name: Deploy controller public ssh keys to osbs cluster hosts + authorized_key: + user: root + key: "{{ lookup('file', '{{private}}/files/osbs/{{env}}/control_key.pub') }}" + + # This is required for OpenShift built-in SkyDNS inside the overlay network + # of the cluster + - name: ensure NM_CONTROLLED is set to "yes" for osbs cluster + lineinfile: + dest: "/etc/sysconfig/network-scripts/ifcfg-eth0" + line: "NM_CONTROLLED=yes" + notify: + - restart NetworkManager + + # This is required for OpenShift built-in SkyDNS inside the overlay network + # of the cluster + - name: ensure NetworkManager is enabled and started + service: + name: NetworkManager + state: started + enabled: yes + + - name: cron entry to clean up docker storage + copy: + src: "{{files}}/osbs/cleanup-docker-storage" + dest: "/etc/cron.d/cleanup-docker-storage" + + - name: copy docker-storage-setup config + copy: + src: "{{files}}/osbs/docker-storage-setup" + dest: "/etc/sysconfig/docker-storage-setup" + + +# This keytab needs to be on any system that is going to talk to koji and +# unfortunately, that's all of them. +- name: Deploy kerberose keytab to cluster hosts + hosts: osbs-masters-stg:osbs-nodes-stg:osbsworker-masters-stg:osbsworker-nodes-stg + tags: + - osbs-cluster-prereq + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - role: keytab/service + owner_user: root + owner_group: root + service: osbs + host: "osbs.stg.fedoraproject.org" + when: env == "staging" + +- name: Deploy OpenShift Clusters + hosts: osbs-control-stg + tags: + - osbs-deploy-openshift + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - role: ansible-ansible-openshift-ansible + cluster_inventory_filename: "orchestrator-cluster-inventory-stg" + openshift_htpasswd_file: "{{ openshift_htpasswd_file }}" + openshift_master_public_api_url: "https://{{ osbs_url }}:8443" + openshift_release: "{{ origin_release }}" + openshift_ansible_path: "/root/openshift-ansible" + openshift_ansible_playbook: "playbooks/byo/config.yml" + openshift_ansible_version: "{{ openshift_ansible_version }}" + openshift_ansible_ssh_user: "{{ openshift_ansible_ssh_user }}" + openshift_ansible_install_examples: "{{ openshift_ansible_install_examples }}" + openshift_ansible_containerized_deploy: "{{ openshift_ansible_containerized_deploy }}" + openshift_cluster_masters_group: "osbs-masters-stg" + openshift_cluster_nodes_group: "osbs-nodes-stg" + openshift_cluster_infra_group: "osbs-masters-stg" + openshift_auth_profile: "{{ openshift_auth_profile }}" + openshift_cluster_url: "{{ osbs_url }}" + openshift_master_ha: false + openshift_debug_level: "{{ openshift_debug_level }}" + openshift_shared_infra: true + openshift_deployment_type: "origin" + openshift_metrics_deploy: true + when: env == 'staging' + tags: ['openshift-cluster','ansible-ansible-openshift-ansible'] + + - role: ansible-ansible-openshift-ansible + cluster_inventory_filename: "x86-64-worker-cluster-inventory-stg" + openshift_htpasswd_file: "{{ openshift_htpasswd_file }}" + openshift_master_public_api_url: "https://{{ osbsworker_x86_64_url }}:8443" + openshift_release: "{{ origin_release }}" + openshift_ansible_path: "/root/openshift-ansible" + openshift_ansible_playbook: "playbooks/byo/config.yml" + openshift_ansible_version: "openshift-ansible-3.3.57-1" + openshift_ansible_ssh_user: "{{ openshift_ansible_ssh_user }}" + openshift_ansible_install_examples: "{{ openshift_ansible_install_examples }}" + openshift_ansible_containerized_deploy: "{{ openshift_ansible_containerized_deploy }}" + openshift_cluster_masters_group: "osbsworker-masters-stg" + openshift_cluster_nodes_group: "osbsworker-nodes-stg" + openshift_cluster_infra_group: "osbsworker-masters-stg" + openshift_auth_profile: "{{ openshift_auth_profile }}" + openshift_cluster_url: "{{ osbsworker_x86_64_url }}" + openshift_master_ha: false + openshift_debug_level: "{{ openshift_debug_level }}" + openshift_shared_infra: true + openshift_deployment_type: "origin" + openshift_metrics_deploy: true + when: env == 'staging' + tags: ['openshift-cluster','ansible-ansible-openshift-ansible'] + + +- name: Setup OSBS requirements for OpenShift cluster hosts + hosts: osbs-masters-stg:osbs-nodes-stg:osbsworker-masters-stg:osbsworker-nodes-stg + tags: + - osbs-cluster-req + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - role: osbs-common + osbs_manage_firewalld: false + + - role: osbs-atomic-reactor + + - role: push-docker + docker_cert_name: "containerbuild" + docker_cert_dir: "/etc/docker/certs.d/{{ candidate_registry }}" + when: env == "staging" + + # The images that come out of the builds need to be pushed somwhere + - role: "manage-container-images" + cert_dest_dir: "/etc/docker/certs.d/{{ candidate_registry }}" + cert_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.pem" + key_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.key" + when: env == "staging" + + handlers: + - name: restart dnsmasq + service: + name: dnsmasq + state: restarted + + tasks: + + - name: install fedora dnsmasq specific config + copy: + src: "{{files}}/osbs/fedora-dnsmasq.conf.{{env}}" + dest: "/etc/dnsmasq.d/fedora-dns.conf" + notify: + - restart dnsmasq + +- name: setup orchestrator namespace + hosts: osbs-masters-stg[0] + tags: + - osbs-cluster-req + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + vars: + osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig + osbs_environment: + KUBECONFIG: "{{ osbs_kubeconfig_path }}" + koji_pki_dir: /etc/pki/koji + koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert" + koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem" + koji_builder_user: dockerbuilder + osbs_secret_name: kojisecret + osbs_secret_service_account: "{{ osbs_builder_user }}" + osbs_secret_remote_dir: /var/lib/origin + osbs_secret_can_fail: false + + roles: + - role: osbs-namespace + osbs_orchestrator: true + osbs_cpu_limitrange: "{{ osbs_orchestrator_cpu_limitrange }}" + osbs_nodeselector: "{{ osbs_orchestrator_default_nodeselector|default('') }}" + + - role: osbs-secret + osbs_namespace: "{{ osbs_worker_namespace }}" + osbs_secret_name: kojisecret + osbs_secret_files: + - source: "{{ secret_repo }}/groups/osbs-{{ env }}/koji/cert" + dest: cert + - source: "{{ secret_repo }}/groups/osbs-{{ env }}/koji/ca" + dest: ca + - source: "{{ secret_repo }}/groups/osbs-{{ env }}/koji/serverca" + dest: serverca + +- name: setup worker namespace + hosts: osbsworker-x86-64-masters-stg[0] + tags: + - osbs-cluster-req + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + vars: + osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig + osbs_environment: + KUBECONFIG: "{{ osbs_kubeconfig_path }}" + koji_pki_dir: /etc/pki/koji + koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert" + koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem" + koji_builder_user: dockerbuilder + osbs_builder_user: builder + osbs_secret_name: kojisecret + osbs_secret_service_account: "{{ osbs_builder_user }}" + osbs_secret_remote_dir: /var/lib/origin + osbs_secret_can_fail: false + + roles: + - role: osbs-namespace + osbs_namespace: "{{ osbs_worker_namespace }}" + osbs_service_accounts: "{{ osbs_worker_service_accounts }}" + osbs_nodeselector: "{{ osbs_worker_default_nodeselector|default('') }}" + + - role: osbs-secret + osbs_namespace: "{{ osbs_worker_namespace }}" + osbs_secret_name: kojisecret + osbs_secret_files: + - source: "{{ secret_repo }}/groups/osbs-{{ env }}/koji/cert" + dest: cert + - source: "{{ secret_repo }}/groups/osbs-{{ env }}/koji/ca" + dest: ca + - source: "{{ secret_repo }}/groups/osbs-{{ env }}/koji/serverca" + dest: serverca + +- name: Setup Koji auth for OpenShift Orchestrator + hosts: osbs-masters-stg[0] + tags: + - osbs-cluster-req + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + tags: + - osbs-master-req + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + + tasks: + - name: set policy for koji builder in openshift for osbs + shell: "oadm policy add-role-to-user -n {{ osbs_namespace }} edit htpasswd_provider: {{ osbs_koji_stg_username }} && touch /etc/origin/koji-builder-policy-added" + args: + creates: "/etc/origin/koji-builder-policy-added" + when: env == "staging" + + - name: set policy for koji builder in openshift for atomic-reactor + shell: "oadm policy add-role-to-user -n {{ osbs_namespace }} edit system:serviceaccount:{{osbs_namespace}}:{{osbs_ && touch /etc/origin/atomic-reactor-policy-added" + args: + creates: "/etc/origin/atomic-reactor-policy-added" + + +- name: Manage docker images and image stream + hosts: osbs-masters-stg[0]:osbsworker-x86-64-masters-stg[0] + tags: + - osbs-post-install + - manage-docker-images + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - /srv/private/ansible/vars.yml + - /srv/private/ansible/files/openstack/passwords.yml + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + vars: + osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig + osbs_environment: + KUBECONFIG: "{{ osbs_kubeconfig_path }}" + koji_pki_dir: /etc/pki/koji + koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert" + koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem" + koji_builder_user: dockerbuilder + + tasks: + - name: pull openshift required docker images + shell: "docker pull {{item}}:v{{origin_release}}" + with_items: "{{openshift_required_images}}" + delegate_to: compose-x86-01.phx2.fedoraproject.org + register: docker_pull_openshift_delegated + changed_when: "'Downloaded newer image' in docker_pull_openshift_delegated.stdout" + + - name: tag openshift required docker images for our registry + shell: "docker tag {{item}}:v{{origin_release}} {{candidate_registry}}/{{item}}:v{{origin_release}}" + with_items: "{{openshift_required_images}}" + delegate_to: compose-x86-01.phx2.fedoraproject.org + when: docker_pull_openshift_delegated|changed + + - name: push openshift required docker images to our registry + shell: "docker push {{candidate_registry}}/{{item}}:v{{origin_release}}" + with_items: "{{openshift_required_images}}" + delegate_to: compose-x86-01.phx2.fedoraproject.org + when: docker_pull_openshift_delegated|changed + + - name: create fedora image stream for OpenShift + shell: "echo '{ \"apiVersion\": \"v1\", \"kind\": \"ImageStream\", \"metadata\": { \"name\": \"fedora\" }, \"spec\": { \"dockerImageRepository\": \"{{candidate_registry}}/fedora\" } }' | oc create -f - && touch /etc/origin/fedoraimagestreamcreated" + environment: "{{ osbs_environment }}" + args: + creates: /etc/origin/fedoraimagestreamcreated + +- name: post-install osbs tasks + hosts: osbs-masters-stg:osbs-nodes-stg + tags: + - osbs-post-install + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - /srv/private/ansible/vars.yml + - /srv/private/ansible/files/openstack/passwords.yml + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + vars: + osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig + osbs_environment: + KUBECONFIG: "{{ osbs_kubeconfig_path }}" + koji_pki_dir: /etc/pki/koji + koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert" + koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem" + koji_builder_user: dockerbuilder + osbs_builder_user: builder + + + handlers: + - name: buildroot container + shell: 'docker rmi buildroot; docker build --no-cache --rm -t buildroot /etc/osbs/buildroot/' + + - name: restart docker + service: + name: docker + state: restarted + + - name: systemctl daemon-reload + shell: 'systemctl daemon-reload' + + roles: + - { + role: osbs-client, + general: { + verbose: 0, + build_json_dir: '/etc/osbs/input/', + openshift_required_version: 1.1.0, + }, + default: { + username: "{{ osbs_koji_stg_username }}", + password: "{{ osbs_koji_stg_password }}", + koji_use_kerberos: True, + koji_kerberos_keytab: "FILE:/etc/krb5.osbs_{{osbs_url}}.keytab", + koji_kerberos_principal: "osbs/{{osbs_url}}@{{ipa_realm}}", + openshift_url: 'https://{{osbs_url}}/', + registry_uri: 'https://{{candidate_registry}}/v2', + source_registry_uri: 'https://{{stable_registry}}/v2', + build_host: '{{osbs_url}}', + koji_root: '{{osbs_koji_root}}', + koji_hub: '{{osbs_koji_hub}}', + sources_command: 'fedpkg sources', + build_type: 'prod', + authoritative_registry: '{{stable_registry}}', + vendor: 'Fedora Project', + verify_ssl: true, + use_auth: true, + builder_use_auth: true, + distribution_scope: 'private', + registry_api_versions: 'v2', + builder_openshift_url: 'https://{{osbs_url}}' + }, + when: env == "staging" + } + + tasks: + - name: copy docker iptables script + copy: + src: "{{files}}/osbs/fix-docker-iptables.{{ env }}" + dest: /usr/local/bin/fix-docker-iptables + mode: 0755 + notify: + - restart docker + + - name: copy docker service config + copy: + src: "{{files}}/osbs/docker.service" + dest: /etc/systemd/system/docker.service + notify: + - systemctl daemon-reload + - restart docker + + - name: set nrpe read access for osbs.conf for nagios monitoring + acl: name={{ osbs_client_conf_path }} entity=nrpe etype=user permissions=r state=present + + - name: Create buildroot container conf directory + file: + path: "/etc/osbs/buildroot/" + state: directory + + - name: Upload Dockerfile for buildroot container + template: + src: "{{ files }}/osbs/buildroot-Dockerfile-{{env}}.j2" + dest: "/etc/osbs/buildroot/Dockerfile" + mode: 0400 + notify: + - buildroot container + + - name: Upload internal CA for buildroot + copy: + src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem" + dest: "/etc/osbs/buildroot/ca.crt" + mode: 0400 + notify: + - buildroot container + + - name: stat infra repofile + stat: + path: "/etc/yum.repos.d/infra-tags.repo" + register: infra_repo_stat + + - name: stat /etc/osbs/buildroot/ infra repofile + stat: + path: "/etc/osbs/buildroot/infra-tags.repo" + register: etcosbs_infra_repo_stat + + - name: remove old /etc/osbs/buildroot/ infra repofile + file: + path: "/etc/osbs/buildroot/infra-tags.repo" + state: absent + when: etcosbs_infra_repo_stat.stat.exists and infra_repo_stat.stat.checksum != etcosbs_infra_repo_stat.stat.checksum + + - name: Copy repofile for buildroot container (because Docker) + copy: + src: "/etc/yum.repos.d/infra-tags.repo" + dest: "/etc/osbs/buildroot/infra-tags.repo" + remote_src: true + notify: + - buildroot container + when: etcosbs_infra_repo_stat.stat.exists == false + + - name: stat /etc/ keytab + stat: + path: "/etc/krb5.osbs_{{osbs_url}}.keytab" + register: etc_kt_stat + + - name: stat /etc/osbs/buildroot/ keytab + stat: + path: "/etc/osbs/buildroot/krb5.osbs_{{osbs_url}}.keytab" + register: etcosbs_kt_stat + + - name: remove old hardlink to /etc/osbs/buildroot/ keytab + file: + path: "/etc/osbs/buildroot/krb5.osbs_{{osbs_url}}.keytab" + state: absent + when: etcosbs_kt_stat.stat.exists and etc_kt_stat.stat.checksum != etcosbs_kt_stat.stat.checksum + + - name: Hardlink keytab for buildroot container (because Docker) + file: + src: "/etc/krb5.osbs_{{osbs_url}}.keytab" + dest: "/etc/osbs/buildroot/krb5.osbs_{{osbs_url}}.keytab" + state: hard + notify: + - buildroot container + when: etcosbs_kt_stat.stat.exists == false + + - name: pull openshift required docker images + shell: "docker pull {{candidate_registry}}/{{item}}:v{{origin_release}}" + with_items: "{{openshift_required_images}}" + register: docker_pull_openshift + changed_when: "'Downloaded newer image' in docker_pull_openshift.stdout" + + - name: tag openshift required docker images locally + shell: "docker tag {{candidate_registry}}/{{item}}:v{{origin_release}} {{item}}:v{{origin_release}}" + with_items: "{{openshift_required_images}}" + when: docker_pull_openshift|changed + + - set_fact: + docker_pull_openshift: "{{ docker_pull_openshift }}" + + +- name: Post-Install image stream refresh + hosts: osbs-masters-stg[0] + tags: + - osbs-post-install + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - /srv/private/ansible/vars.yml + - /srv/private/ansible/files/openstack/passwords.yml + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + tasks: + - name: refresh fedora image streams + shell: "oc import-image fedora --all" + when: env == "staging" and hostvars[groups["osbs-masters-stg"][0]]["docker_pull_fedora"]|changed + + - name: enable nrpe for monitoring (noc01) + iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT + +# - name: enable nrpe for monitoring (noc01.stg) +# iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=1#0.5.126.2 state=present jump=ACCEPT diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 index c8a069b109..632c7d5fc5 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 @@ -457,8 +457,13 @@ openshift_master_default_subdomain={{openshift_app_subdomain}} # See: https://docs.openshift.com/enterprise/latest/install_config/cluster_metrics.html # # By default metrics are not automatically deployed, set this to enable them -# openshift_hosted_metrics_deploy=true # +# openshift_hosted_metrics_deploy=true +{% if openshift_metrics_deploy is defined %} +{% if openshift_metrics_deploy %} +# +openshift_hosted_metrics_deploy=true + # Storage Options # If openshift_hosted_metrics_storage_kind is unset then metrics will be stored # in an EmptyDir volume and will be deleted when the cassandra pod terminates. @@ -499,7 +504,9 @@ openshift_master_default_subdomain={{openshift_app_subdomain}} # Defaults to https://hawkular-metrics.openshift_master_default_subdomain/hawkular/metrics # Currently, you may only alter the hostname portion of the url, alterting the # `/hawkular/metrics` path will break installation of metrics. -#openshift_hosted_metrics_public_url=https://hawkular-metrics.example.com/hawkular/metrics +#openshift_hosted_metrics_public_url=https://hawkular-metrics.{{osbs_cluster_url}}/hawkular/metrics +{% endif %} +{% endif %} # Logging deployment # diff --git a/roles/openshift-prerequisites/README.md b/roles/openshift-prerequisites/README.md new file mode 100644 index 0000000000..f69a7bbbf1 --- /dev/null +++ b/roles/openshift-prerequisites/README.md @@ -0,0 +1,34 @@ +OpenShift prerequisites Role +============================ + +An Ansible role to manage prerequisites for OSE installation. +It performs the following operations: + +* Sets necessary sebools for GlusterFS and NFS. + https://docs.openshift.com/container-platform/3.3/install_config/install/prerequisites.html#prereq-selinux +* Installs python-six package + https://github.com/openshift/openshift-ansible/issues/3020 + + +Role Variables Example +---------------------- + + # Set up sebools + openshift_sebools: + - name: virt_sandbox_use_fusefs + state: yes + persistent: yes + + +Example Playbook +---------------- + + - hosts: all + roles: + - openshift-prerequisites + + +Dependencies +------------ + +None. diff --git a/roles/openshift-prerequisites/defaults/main.yml b/roles/openshift-prerequisites/defaults/main.yml new file mode 100644 index 0000000000..1db524a6b8 --- /dev/null +++ b/roles/openshift-prerequisites/defaults/main.yml @@ -0,0 +1,14 @@ +--- +# SELinux booleans +openshift_sebools: +# https://docs.openshift.com/container-platform/3.3/install_config/persistent_storage/persistent_storage_glusterfs.html#selinux +- name: virt_sandbox_use_fusefs + state: yes + persistent: yes +# https://docs.openshift.com/container-platform/3.3/install_config/persistent_storage/persistent_storage_nfs.html#nfs-selinux +- name: virt_use_nfs + state: yes + persistent: yes +- name: virt_sandbox_use_nfs + state: yes + persistent: yes diff --git a/roles/openshift-prerequisites/meta/main.yml b/roles/openshift-prerequisites/meta/main.yml new file mode 100644 index 0000000000..baf5bd8f5b --- /dev/null +++ b/roles/openshift-prerequisites/meta/main.yml @@ -0,0 +1,13 @@ +# Standards: 1.6 +--- +galaxy_info: + author: Andrej Golis + description: Set up prerequisites for OSE installation + company: Red Hat, Inc. + license: BSD + min_ansible_version: 2.1 + platforms: + - name: EL + versions: + - 7 +dependencies: [] diff --git a/roles/openshift-prerequisites/tasks/main.yml b/roles/openshift-prerequisites/tasks/main.yml new file mode 100644 index 0000000000..16adfef9a0 --- /dev/null +++ b/roles/openshift-prerequisites/tasks/main.yml @@ -0,0 +1,23 @@ +--- +- name: Install python-six package + package: + name: python-six + state: present + +- name: Install libselinux-python package + package: + name: libselinux-python + state: present + +- name: Configure SELinux + selinux: + state: enforcing + policy: targeted + +- name: enable/disable sebools + seboolean: + name: "{{ item.name }}" + state: "{{ item.state }}" + persistent: "{{ item.persistent }}" + with_items: "{{ openshift_sebools }}" + when: openshift_sebools != "" diff --git a/roles/osbs-namespace/README.md b/roles/osbs-namespace/README.md new file mode 100644 index 0000000000..580275a80e --- /dev/null +++ b/roles/osbs-namespace/README.md @@ -0,0 +1,138 @@ +Role Name +========= + +Setup an OpenShift namespace as required by OSBS: +- Create namespace, also referred to as project (`osbs_namespace`) +- Create service accounts (`osbs_service_accounts`) + +If user is cluster admin (`osbs_is_admin`), the following is also performed: +- Create policy binding +- Create osbs-custom-build role to allow custom builds +- Sets up rolebindings for specified users, groups and service accounts + +For orchestrator namespaces (`osbs_orchestrator`): +- reactor-config-secret is generated and stored in `osbs_generated_config_path` + use osbs-secret to import it +- client-config-secret is generated and stored in `osbs_generated_config_path` + use osbs-secret to import it + +Requirements +------------ + +A running instance of OpenShift. + +Role Variables +-------------- + + # Namespace name to be used + osbs_namespace: 'my-namespace' + # Is user running playbook as cluster admin? + osbs_is_admin: true + # Will the namespace be used for orchestrator builds? + osbs_orchestrator: true + + # Worker clusters to be used for generating reactor and client config secrets + # in orchestrator workspace + osbs_worker_clusters: + x86_64: + - name: prod-x86_64-on-prem + max_concurrent_builds: 6 + openshift_url: https://my-x86_64-on-premise-cluster.redhat.com:8443 + - name: prod-x86_64-osd + max_concurrent_builds: 16 + openshift_url: https://my-x86_64-osd-cluster.redhat.com:8443 + # optional params, and their defaults: + enabled: true # yaml boolean + namespace: worker + use_auth: 'true' # yaml string + verify_ssl: 'true' # yaml string + + ppc64le: + - name: prod-ppc64le-on-prem + max_concurrent_builds: 6 + openshift_url: https://my-ppc64le-on-premise-cluster.redhat.com:8443 + + # Service accounts to be created - these accounts will also be bound to + # edit clusterrole and osbs-custom-build role in specified namespace + osbs_service_accounts: + - bot + - ci + + # User and groups to be assigned view clusterrole in specified namespace + osbs_readonly_groups: + - group1 + - group2 + osbs_readonly_users: + - user1 + - user2 + + # Users and groups to be assigned edit clusterrole and osbs-custom-build + # role in specified namespace + osbs_readwrite_groups: + - group1 + - group2 + osbs_readwrite_users: + - user1 + - user2 + + # Users and groups to be assigned admin clusterrole and osbs-custom-build + # role in specified namespace + osbs_admin_groups: + - group1 + - group2 + osbs_admin_users: + - user1 + - user2 + + # Koji integration + osbs_koji_secret_name: kojisecret + osbs_koji_hub: https://koji-hub.redhat.com # Empty default value + osbs_koji_root: https://koji-root.redhat.com # Empty default value + + # Pulp integration + osbs_pulp_secret_name: pulpsecret + osbs_pulp_registry_name: brew-qa # Empty default value + + # Distribution registry integration + osbs_registry_secret_name: v2-registry-dockercfg + osbs_registry_api_version: + - v1 + - v2 + osbs_registry_uri: https://distribution-registry.redhat.com/v2 # Empty default value + + # Dist-git integration + osbs_sources_command: rhpkg sources + osbs_source_registry_uri: https://source-registry.redhat.com # Empty default value + +For a full list, see defaults/main.yml + +Dependencies +------------ + +None. + +Example Playbook +---------------- + + - name: setup worker namespace + hosts: master + roles: + - role: osbs-namespace + osbs_namespace: worker + + - name: setup orchestrator namespace + hosts: master + roles: + - role: osbs-namespace + osbs_namespace: orchestrator + osbs_orchestrator: true + +License +------- + +BSD + +Author Information +------------------ + +Luiz Carvalho diff --git a/roles/osbs-namespace/defaults/main.yml b/roles/osbs-namespace/defaults/main.yml new file mode 100644 index 0000000000..00069104dd --- /dev/null +++ b/roles/osbs-namespace/defaults/main.yml @@ -0,0 +1,41 @@ +--- +osbs_openshift_home: /var/lib/origin +osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig +osbs_generated_config_path: /tmp + +osbs_environment: + KUBECONFIG: "{{ osbs_kubeconfig_path }}" + +osbs_is_admin: true + +osbs_service_accounts: [] + +osbs_cpu_limitrange: '' + +osbs_admin_groups: [] +osbs_admin_users: [] +osbs_readonly_groups: [] +osbs_readonly_users: [] +osbs_readwrite_groups: [] +osbs_readwrite_users: [] + +osbs_orchestrator: false +osbs_worker_clusters: {} + +osbs_koji_secret_name: kojisecret +osbs_distribution_scope: public +osbs_authoritative_registry: registry.access.redhat.com +osbs_koji_hub: '' +osbs_koji_root: '' +osbs_pulp_registry_name: '' +osbs_pulp_secret_name: pulpsecret +osbs_registry_api_versions: +- v1 +- v2 +osbs_registry_secret_name: v2-registry-dockercfg +osbs_registry_uri: '' +osbs_source_registry_uri: '' +osbs_build_json_dir: /usr/share/osbs +osbs_sources_command: rhpkg sources +osbs_vendor: Red Hat, Inc. +osbs_nodeselector: '' diff --git a/roles/osbs-namespace/meta/main.yml b/roles/osbs-namespace/meta/main.yml new file mode 100644 index 0000000000..98c9c543be --- /dev/null +++ b/roles/osbs-namespace/meta/main.yml @@ -0,0 +1,12 @@ +# Standards: 1.8 +galaxy_info: + author: Luiz Carvalho + description: setup OpenShift namespace for OSBS usage + company: Red Hat, Inc. + license: BSD + min_ansible_version: 2.1 + platforms: + name: EL + versions: + - 7 +dependencies: [] diff --git a/roles/osbs-namespace/tasks/main.yml b/roles/osbs-namespace/tasks/main.yml new file mode 100644 index 0000000000..e5670bda0a --- /dev/null +++ b/roles/osbs-namespace/tasks/main.yml @@ -0,0 +1,192 @@ +--- +# Create namespace +- name: create osbs namespace + command: oc new-project {{ osbs_namespace }} + register: new_project + failed_when: new_project.rc != 0 and ('already exists' not in new_project.stderr) + changed_when: new_project.rc == 0 + environment: "{{ osbs_environment }}" + tags: + - oc + +# Setup service account +- name: copy service accounts + template: + src: openshift-serviceaccount.yml.j2 + dest: "{{ osbs_openshift_home }}/{{ inventory_hostname }}-{{ osbs_namespace }}-serviceaccount-{{ item }}.yml" + with_items: "{{ osbs_service_accounts }}" + register: yaml_sa + tags: + - oc + +- name: import service accounts + command: > + oc create + --namespace={{ osbs_namespace }} + --filename={{ osbs_openshift_home }}/{{ inventory_hostname }}-{{ osbs_namespace }}-serviceaccount-{{ item.item }}.yml + register: service_account_import + failed_when: service_account_import.rc != 0 and ('already exists' not in service_account_import.stderr) + environment: "{{ osbs_environment }}" + with_items: "{{ yaml_sa.results | default([]) }}" + when: item.changed + tags: + - oc + +# Setup policy binding +- name: query policybinding + command: oc get policybinding {{ osbs_namespace }}:default --namespace {{ osbs_namespace }} + environment: "{{ osbs_environment }}" + register: policybinding_query + failed_when: policybinding_query.rc != 0 and ('not found' not in policybinding_query.stderr) + changed_when: false + when: osbs_is_admin + tags: + - oc + +- name: create a policybinding + command: oc create policybinding {{ osbs_namespace }} --namespace {{ osbs_namespace }} + environment: "{{ osbs_environment }}" + when: "osbs_is_admin and 'not found' in policybinding_query.stderr" + tags: + - oc + +# Setup role +- name: copy role + template: + src: role-osbs-custom-build.yml.j2 + dest: "{{ osbs_openshift_home }}/{{ inventory_hostname }}-{{ osbs_namespace }}-role-osbs-custom-build.yml" + environment: "{{ osbs_environment }}" + register: yaml_role + when: osbs_is_admin + tags: + - oc + +- name: import role + command: > + oc replace + --namespace={{ osbs_namespace }} + --force=true + --filename={{ osbs_openshift_home }}/{{ inventory_hostname }}-{{ osbs_namespace }}-role-osbs-custom-build.yml + environment: "{{ osbs_environment }}" + when: yaml_role.changed + tags: + - oc + +# Setup role bindings +- name: copy role bindings + template: + src: "openshift-rolebinding.{{ item.yaml_version | default('v2') }}.yml.j2" + dest: "{{ osbs_openshift_home }}/{{ inventory_hostname }}-{{ osbs_namespace }}-rolebinding-{{ item.name }}.yml" + with_items: + + - name: osbs-readonly + role: view + yaml_version: v1 + users: "{{ osbs_readonly_users }}" + groups: "{{ osbs_readonly_groups }}" + + - name: osbs-readwrite + role: edit + yaml_version: v1 + users: "{{ osbs_readwrite_users }}" + groups: "{{ osbs_readwrite_groups }}" + + - name: osbs-admin + role: admin + yaml_version: v1 + users: "{{ osbs_admin_users }}" + groups: "{{ osbs_admin_groups }}" + + - name: osbs-custom-build-readwrite + role: osbs-custom-build + yaml_version: v1 + role_namespace: "{{ osbs_namespace }}" + users: "{{ osbs_readwrite_users }}" + groups: "{{ osbs_readwrite_groups }}" + + - name: osbs-custom-build-admin + role: osbs-custom-build + yaml_version: v1 + role_namespace: "{{ osbs_namespace }}" + users: "{{ osbs_admin_users }}" + groups: "{{ osbs_admin_groups }}" + + - name: osbs-readwrite-serviceaccounts + role: edit + serviceaccounts: "{{ osbs_service_accounts }}" + + - name: osbs-custom-build-serviceaccounts + role: osbs-custom-build + role_namespace: "{{ osbs_namespace }}" + serviceaccounts: "{{ osbs_service_accounts }}" + + register: yaml_rolebindings + when: osbs_is_admin + tags: + - oc + +- name: import the role bindings + command: > + oc replace + --namespace={{ osbs_namespace }} + --force=true + --filename={{ osbs_openshift_home }}/{{ inventory_hostname }}-{{ osbs_namespace }}-rolebinding-{{ item.item.name }}.yml + environment: "{{ osbs_environment }}" + with_items: "{{ yaml_rolebindings.results }}" + when: item.changed + tags: + - oc + +- name: copy cpu limitrange + template: + src: openshift-limitrange.yml.j2 + dest: "{{ osbs_openshift_home }}/{{ inventory_hostname }}-{{ osbs_namespace }}-limitrange.yml" + when: osbs_cpu_limitrange and osbs_is_admin + register: yaml_limitrange + tags: + - oc + +- name: import cpu limitrange + command: > + oc replace + --namespace={{ osbs_namespace }} + --force=true + --filename={{ osbs_openshift_home }}/{{ inventory_hostname }}-{{ osbs_namespace }}-limitrange.yml + environment: "{{ osbs_environment }}" + when: yaml_limitrange.changed + tags: + - oc + +- name: delete cpu limitrange + command: > + oc delete + --namespace={{ osbs_namespace }} + --ignore-not-found=true + limitrange cpureq + environment: "{{ osbs_environment }}" + when: not osbs_cpu_limitrange and osbs_is_admin + tags: + - oc + +- name: get nodeselector value + command: > + oc get namespace {{ osbs_namespace }} -o go-template + --template={% raw %}'{{index .metadata.annotations "openshift.io/node-selector"}}'{% endraw %} + environment: "{{ osbs_environment }}" + register: node_selector_value + when: osbs_nodeselector != '' + changed_when: false + tags: + - oc + +- name: set default node selector + command: > + oc patch namespace {{ osbs_namespace }} + -p '{"metadata":{"annotations":{"openshift.io/node-selector": "{{ osbs_nodeselector }}"}}}' + environment: "{{ osbs_environment }}" + when: osbs_nodeselector != '' and osbs_nodeselector != node_selector_value.stdout + tags: + - oc + +- include: orchestrator.yml + when: osbs_orchestrator diff --git a/roles/osbs-namespace/tasks/orchestrator.yml b/roles/osbs-namespace/tasks/orchestrator.yml new file mode 100644 index 0000000000..67a2ecbf55 --- /dev/null +++ b/roles/osbs-namespace/tasks/orchestrator.yml @@ -0,0 +1,18 @@ +--- +- name: generate reactor config secret + local_action: > + template + src=reactor-config-secret.yml.j2 + dest="{{ osbs_generated_config_path }}/{{ osbs_namespace }}-reactor-config-secret.yml" + register: yaml_reactor_config_secret + tags: + - oc + +- name: generate client config secret + local_action: > + template + src=client-config-secret.conf.j2 + dest="{{ osbs_generated_config_path }}/{{ osbs_namespace }}-client-config-secret.conf" + register: yaml_client_config_secret + tags: + - oc diff --git a/roles/osbs-namespace/templates/client-config-secret.conf.j2 b/roles/osbs-namespace/templates/client-config-secret.conf.j2 new file mode 100644 index 0000000000..1d922bdd56 --- /dev/null +++ b/roles/osbs-namespace/templates/client-config-secret.conf.j2 @@ -0,0 +1,53 @@ +[general] +build_json_dir = {{ osbs_build_json_dir }} + +{% for platform, clusters in osbs_worker_clusters.iteritems() %} +{% for cluster in clusters | default([]) %} +[{{ cluster.name }}] +namespace = {{ cluster.namespace | default('worker') }} +openshift_url = {{ cluster.openshift_url }} +token_file = /var/run/secrets/atomic-reactor/{{ cluster.name | replace('_', '-') }}-orchestrator/token +use_auth = {{ cluster.use_auth | default('true') }} +verify_ssl = {{ cluster.verify_ssl | default('true') }} +low_priority_node_selector = {{ cluster.low_priority_node_selector | default('') }} + +authoritative_registry = {{ osbs_authoritative_registry }} +distribution_scope = {{ osbs_distribution_scope }} + +# Koji integration +{% if osbs_koji_secret_name %} +koji_certs_secret = {{ osbs_koji_secret_name }} +{% endif %} +{% if osbs_koji_hub %} +koji_hub = {{ osbs_koji_hub }} +{% endif %} +{% if osbs_koji_root %} +koji_root = {{ osbs_koji_root }} +{% endif %} + +# Pulp integration +{% if osbs_pulp_registry_name %} +pulp_registry_name = {{ osbs_pulp_registry_name }} +{% endif %} +{% if osbs_pulp_secret_name %} +pulp_secret = {{ osbs_pulp_secret_name }} +{% endif %} + +# Distribution registry integration +{% if osbs_registry_api_versions %} +registry_api_versions = {{ osbs_registry_api_versions | join(',') }} +{% endif %} +{% if osbs_registry_secret_name %} +registry_secret = {{ osbs_registry_secret_name }} +{% endif %} +{% if osbs_registry_uri %} +registry_uri = {{ osbs_registry_uri }} +{% endif %} + +{% if osbs_source_registry_uri %} +source_registry_uri = {{ osbs_source_registry_uri }} +{% endif %} +sources_command = {{ osbs_sources_command }} +vendor = {{ osbs_vendor }} +{% endfor %} +{% endfor %} diff --git a/roles/osbs-namespace/templates/openshift-limitrange.yml.j2 b/roles/osbs-namespace/templates/openshift-limitrange.yml.j2 new file mode 100644 index 0000000000..0c15dcee2b --- /dev/null +++ b/roles/osbs-namespace/templates/openshift-limitrange.yml.j2 @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: LimitRange +metadata: + name: cpureq + namespace: {{ osbs_namespace }} +spec: + limits: + - type: Container + defaultRequest: + cpu: {{ osbs_cpu_limitrange }} diff --git a/roles/osbs-namespace/templates/openshift-rolebinding.v1.yml.j2 b/roles/osbs-namespace/templates/openshift-rolebinding.v1.yml.j2 new file mode 100644 index 0000000000..2b0648b588 --- /dev/null +++ b/roles/osbs-namespace/templates/openshift-rolebinding.v1.yml.j2 @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: RoleBinding +metadata: + name: {{ item.name }} + namespace: {{ osbs_namespace }} + +roleRef: + name: {{ item.role }} + namespace: {{ item.role_namespace | default() }} + +userNames: +{% for u in item.users | default([]) %} +- {{ u }} +{% endfor %} + +groupNames: +{% for g in item.groups | default([]) %} +- {{ g }} +{% endfor %} diff --git a/roles/osbs-namespace/templates/openshift-rolebinding.v2.yml.j2 b/roles/osbs-namespace/templates/openshift-rolebinding.v2.yml.j2 new file mode 100644 index 0000000000..c95e8da8a2 --- /dev/null +++ b/roles/osbs-namespace/templates/openshift-rolebinding.v2.yml.j2 @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: RoleBinding +metadata: + name: {{ item.name }} + namespace: {{ osbs_namespace }} + +roleRef: + name: {{ item.role }} + namespace: {{ item.role_namespace | default() }} + +subjects: + +{% for sa in item.serviceaccounts | default([]) %} +- kind: 'ServiceAccount' + namespace: {{ osbs_namespace }} + name: {{ sa }} +{% endfor %} + +{% for u in item.users | default([]) %} +- kind: 'User' + namespace: {{ osbs_namespace }} + name: {{ u }} +{% endfor %} + +{% for g in item.groups | default([]) %} +- kind: 'Group' + namespace: {{ osbs_namespace }} + name: {{ g }} +{% endfor %} diff --git a/roles/osbs-namespace/templates/openshift-serviceaccount.yml.j2 b/roles/osbs-namespace/templates/openshift-serviceaccount.yml.j2 new file mode 100644 index 0000000000..b4487391db --- /dev/null +++ b/roles/osbs-namespace/templates/openshift-serviceaccount.yml.j2 @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ item }} + namespace: {{ osbs_namespace }} diff --git a/roles/osbs-namespace/templates/reactor-config-secret.yml.j2 b/roles/osbs-namespace/templates/reactor-config-secret.yml.j2 new file mode 100644 index 0000000000..de71de7cdd --- /dev/null +++ b/roles/osbs-namespace/templates/reactor-config-secret.yml.j2 @@ -0,0 +1,13 @@ +--- +version: 1 +clusters: + +{% for platform, clusters in osbs_worker_clusters.iteritems() %} + {{ platform }}: +{% for cluster in clusters | default([]) %} + - name: {{ cluster.name }} + max_concurrent_builds: {{ cluster.max_concurrent_builds }} + enabled: {{ cluster.enabled | default(true) }} + +{% endfor %} +{% endfor %} diff --git a/roles/osbs-namespace/templates/role-osbs-custom-build.yml.j2 b/roles/osbs-namespace/templates/role-osbs-custom-build.yml.j2 new file mode 100644 index 0000000000..2a4b7f2bce --- /dev/null +++ b/roles/osbs-namespace/templates/role-osbs-custom-build.yml.j2 @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Role +metadata: + name: osbs-custom-build + namespace: {{ osbs_namespace }} +rules: + - verbs: + - create + resources: + - builds/custom diff --git a/roles/osbs-namespace/tests/files/dedicated-project-admin.yaml b/roles/osbs-namespace/tests/files/dedicated-project-admin.yaml new file mode 100644 index 0000000000..6cebcc1977 --- /dev/null +++ b/roles/osbs-namespace/tests/files/dedicated-project-admin.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: ClusterRole +metadata: + name: dedicated-project-admin +rules: +- apiGroups: + - "" + attributeRestrictions: null + resources: + - limitranges + - resourcequotas + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - extensions + attributeRestrictions: null + resources: + - daemonsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- resources: + - builds/custom + verbs: + - create diff --git a/roles/osbs-namespace/tests/files/expected-client-config-secret.conf b/roles/osbs-namespace/tests/files/expected-client-config-secret.conf new file mode 100644 index 0000000000..7ac9c016f4 --- /dev/null +++ b/roles/osbs-namespace/tests/files/expected-client-config-secret.conf @@ -0,0 +1,49 @@ +[general] +build_json_dir = /usr/share/osbs + +[minimum] +namespace = worker +openshift_url = https://minimum-worker.test.redhat.com +token_file = /var/run/secrets/atomic-reactor/minimum-orchestrator/token +use_auth = true +verify_ssl = false +artifacts_allowed_domains = + +authoritative_registry = registry.access.redhat.com +distribution_scope = public + +# Koji integration +koji_certs_secret = kojisecret + +# Pulp integration +pulp_secret = pulpsecret + +# Distribution registry integration +registry_api_versions = v1,v2 +registry_secret = v2-registry-dockercfg + +sources_command = rhpkg sources +vendor = Red Hat, Inc. +[all_values] +namespace = spam +openshift_url = https://all_values-worker.test.redhat.com +token_file = /var/run/secrets/atomic-reactor/all-values-orchestrator/token +use_auth = false +verify_ssl = false +artifacts_allowed_domains = allowed.domain.com,also-allowed.domain.com + +authoritative_registry = registry.access.redhat.com +distribution_scope = public + +# Koji integration +koji_certs_secret = kojisecret + +# Pulp integration +pulp_secret = pulpsecret + +# Distribution registry integration +registry_api_versions = v1,v2 +registry_secret = v2-registry-dockercfg + +sources_command = rhpkg sources +vendor = Red Hat, Inc. diff --git a/roles/osbs-namespace/tests/group_vars/masters.yml b/roles/osbs-namespace/tests/group_vars/masters.yml new file mode 100644 index 0000000000..ac32cbd376 --- /dev/null +++ b/roles/osbs-namespace/tests/group_vars/masters.yml @@ -0,0 +1,17 @@ + +osbs_worker_clusters: + x86_64: + - name: 'minimum' + max_concurrent_builds: 1 + openshift_url: 'https://minimum-worker.test.redhat.com' + verify_ssl: 'false' + + - name: 'all_values' + namespace: 'spam' + max_concurrent_builds: 99 + openshift_url: 'https://all_values-worker.test.redhat.com' + verify_ssl: 'false' + use_auth: 'false' + artifacts_allowed_domains: + - allowed.domain.com + - also-allowed.domain.com diff --git a/roles/osbs-namespace/tests/test-inventory b/roles/osbs-namespace/tests/test-inventory new file mode 100644 index 0000000000..7ba4950f9a --- /dev/null +++ b/roles/osbs-namespace/tests/test-inventory @@ -0,0 +1,2 @@ +[masters] +test-host ansible_connection=local ansible_become=false diff --git a/roles/osbs-namespace/tests/test.yml b/roles/osbs-namespace/tests/test.yml new file mode 100644 index 0000000000..2c9759eeff --- /dev/null +++ b/roles/osbs-namespace/tests/test.yml @@ -0,0 +1,313 @@ +# Standards: 1.8 +--- +# Run playbook +# ansible-playbook -i test-inventory test.yml +# During active development, you can re-use the same +# environment setup: +# ansible-playbook -i test-inventory test.yml --skip-tags 'environment-setup' +- name: setup environment + hosts: masters + tasks: + - name: cleanup existing cluster + command: > + oc cluster down + register: cmd_cluster_down + changed_when: cmd_cluster_down.rc == 0 + + - name: bring up new cluster + command: > + oc cluster up + --version v3.4.1.10 + --image registry.access.redhat.com/openshift3/ose + register: cmd_cluster_up + changed_when: cmd_cluster_up.rc == 0 + + - name: login as admin + command: > + oc login -u system:admin + register: cmd_login_admin + changed_when: cmd_login_admin.rc == 0 + + - name: cleanup tmp folder + file: + path: tmp + state: absent + + - name: setup tmp folder + file: + path: tmp + state: directory + + tags: + - environment-setup + +- name: setup worker namespace + hosts: masters + roles: + - role: "{{ playbook_dir }}/../." + osbs_kubeconfig_path: "{{ lookup('env','HOME') }}/.kube/config" + osbs_openshift_home: tmp + osbs_namespace: test-worker + osbs_nodeselector: "worker=true" + osbs_service_accounts: + - orchestrator + +- name: test worker namespace + hosts: masters + tasks: + - name: namespace worker created + command: > + oc get project test-worker + changed_when: false + + - name: orchestrator service account created in worker namespace + command: > + oc -n test-worker get serviceaccount orchestrator + changed_when: false + + - name: policy binding created + command: > + oc -n test-worker get policybinding ':default' + changed_when: false + + - name: custom builds roles created + command: > + oc -n test-worker get role osbs-custom-build + changed_when: false + + - name: expected rolebindings created in worker namespace + command: > + oc -n test-worker get rolebinding {{ item }} + with_items: + - osbs-admin + - osbs-admin + - osbs-custom-build-admin + - osbs-custom-build-readwrite + - osbs-custom-build-serviceaccounts + - osbs-readonly + - osbs-readwrite + - osbs-readwrite-serviceaccounts + changed_when: false + + - name: nodeselector exists + shell: > + oc get namespace test-worker -o json |grep 'node-selector' + register: node_selector_exists + failed_when: "'node-selector' not in node_selector_exists.stdout" + +- name: setup orchestrator namespace + hosts: masters + tags: + orchestrator + roles: + - role: "{{ playbook_dir }}/../." + osbs_kubeconfig_path: "{{ lookup('env','HOME') }}/.kube/config" + osbs_openshift_home: tmp + osbs_generated_config_path: tmp + osbs_namespace: test-orchestrator + osbs_orchestrator: true + +- name: test orchestrator namespace + hosts: masters + tags: + orchestrator + tasks: + - name: reactor config secret generated + stat: + path: tmp/test-orchestrator-reactor-config-secret.yml + register: stat_reactor_config_secret + changed_when: false + + - name: fail if reactor config secret was generated + fail: + msg: Reactor config secret file not created! + when: not stat_reactor_config_secret.stat.exists + + - name: client-config-secret was generated properly + command: > + diff {{ playbook_dir }}/files/expected-client-config-secret.conf + {{ playbook_dir }}/tmp/test-orchestrator-client-config-secret.conf + changed_when: false + + +- name: setup namespace as non admin + hosts: masters + pre_tasks: + - name: Login with non cluster admin account + command: > + oc login -u non-admin -p non-admin + register: cmd_login_non_admin + changed_when: cmd_login_non_admin.rc == 0 + roles: + - role: "{{ playbook_dir }}/../." + osbs_kubeconfig_path: "{{ lookup('env','HOME') }}/.kube/config" + osbs_openshift_home: tmp + osbs_namespace: test-non-admin + osbs_is_admin: false + osbs_service_accounts: + - orchestrator + post_tasks: + - name: Log back in with cluster admin account + command: > + oc login -u system:admin + register: cmd_login_admin + changed_when: cmd_login_admin.rc == 0 + +- name: test non-admin namespace + hosts: masters + tasks: + - name: namespace non-admin created + command: > + oc get project test-non-admin + changed_when: false + + - name: orchestrator service account created in non-admin namespace + command: > + oc -n test-non-admin get serviceaccount orchestrator + changed_when: false + + - name: custom builds roles NOT created in non-admin namespace + command: > + oc -n test-non-admin get role osbs-custom-build + register: cmd_role + failed_when: "'No resources found' not in cmd_role.stderr" + changed_when: false + + - name: custom rolebindings NOT created in non-admin namespace + command: > + oc -n test-non-admin get rolebinding {{ item }} + register: cmd_rolebinding + failed_when: "'No resources found' not in cmd_rolebinding.stderr" + with_items: + - osbs-admin + - osbs-admin + - osbs-custom-build-admin + - osbs-custom-build-readwrite + - osbs-custom-build-serviceaccounts + - osbs-readonly + - osbs-readwrite + - osbs-readwrite-serviceaccounts + changed_when: false + +- name: create limitrange namespace + hosts: masters + roles: + - role: "{{ playbook_dir }}/../." + osbs_kubeconfig_path: "{{ lookup('env','HOME') }}/.kube/config" + osbs_openshift_home: tmp + osbs_namespace: test-limitrange + osbs_cpu_limitrange: '100m' + +- name: test limitrange namespace + hosts: masters + tasks: + - name: namespace limitrange created + command: > + oc get project test-limitrange + changed_when: false + + - name: limitrange created + command: > + oc -n test-limitrange get limitrange cpureq + changed_when: false + +- name: update limitrange namespace + hosts: masters + roles: + - role: "{{ playbook_dir }}/../." + osbs_kubeconfig_path: "{{ lookup('env','HOME') }}/.kube/config" + osbs_openshift_home: tmp + osbs_namespace: test-limitrange + # No osbs_cpu_limitrage provided should trigger removal + +- name: test updated limitrange namespace + hosts: masters + tasks: + - name: limitrange deleted + command: > + oc -n test-limitrange get limitrange cpureq + register: cmd_limitrange + failed_when: "'No resources found' not in cmd_limitrange.stderr" + changed_when: false + +- name: setup policybinding dedicated-admin namespace + hosts: masters + pre_tasks: + - name: login as admin + command: > + oc login -u system:admin + register: cmd_login_admin + changed_when: cmd_login_admin.rc == 0 + - name: Create dedicated-poject-admin clusterrole + command: > + oc create -f {{ playbook_dir }}/files/dedicated-project-admin.yaml + register: cmd_create_clusterrole + changed_when: cmd_create_clusterrole.rc == 0 + - name: Create the namespace as cluster admin + command: > + oc new-project test-policybinding-dedicated-admin + register: cmd_pre_create_namespace + changed_when: cmd_pre_create_namespace.rc == 0 + - name: Create dedicated-admin user + command: > + oc -n test-policybinding-dedicated-admin + create user dedicated-admin + register: cmd_create_user + changed_when: cmd_create_user.rc == 0 + - name: Add dedicated-project-admin role to dedicated-admin + command: > + oc -n test-policybinding-dedicated-admin + policy add-role-to-user dedicated-project-admin dedicated-admin + register: cmd_role_dedicated_project_admin + changed_when: cmd_role_dedicated_project_admin.rc == 0 + - name: Create policybinding as cluster admin + command: > + oc -n test-policybinding-dedicated-admin + create policybinding test-policybinding-dedicated-admin + register: cmd_pre_create_policybinding + changed_when: cmd_pre_create_policybinding.rc == 0 + # This is only needed because the project was created + # by a different user: system:admin. + - name: Give dedicated-admin user project admin access + command: > + oc -n test-policybinding-dedicated-admin + adm policy add-role-to-user admin dedicated-admin + register: cmd_role_project_admin + changed_when: cmd_role_project_admin.rc == 0 + - name: Login with non cluster admin account + command: > + oc login -u dedicated-admin -p dedicated-admin + register: cmd_login_dedicated_admin + changed_when: cmd_login_dedicated_admin.rc == 0 + roles: + - role: "{{ playbook_dir }}/../." + osbs_kubeconfig_path: "{{ lookup('env','HOME') }}/.kube/config" + osbs_openshift_home: tmp + osbs_namespace: test-policybinding-dedicated-admin + osbs_is_admin: true + osbs_service_accounts: + - orchestrator + post_tasks: + - name: Log back in with cluster admin account + command: > + oc login -u system:admin + register: cmd_login_admin + changed_when: cmd_login_admin.rc == 0 + +- name: test policybinding dedicated-admin namespace + hosts: masters + tasks: + - name: custom rolebindings created in dedicated-admin namespace + command: > + oc -n test-policybinding-dedicated-admin get rolebinding {{ item }} + register: cmd_rolebinding + with_items: + - osbs-admin + - osbs-admin + - osbs-custom-build-admin + - osbs-custom-build-readwrite + - osbs-custom-build-serviceaccounts + - osbs-readonly + - osbs-readwrite + - osbs-readwrite-serviceaccounts + changed_when: false diff --git a/roles/osbs-secret/README.md b/roles/osbs-secret/README.md new file mode 100644 index 0000000000..e59fab6a79 --- /dev/null +++ b/roles/osbs-secret/README.md @@ -0,0 +1,70 @@ +osbs-secret +=========== + +This role imports various secrets, such as Pulp or Koji certificates, from +filesystem into OpenShift. See the [OSBS +documentation](https://github.com/projectatomic/osbs-client/blob/master/docs/secret.md) +for more information. + +This role is part of +[ansible-osbs](https://github.com/projectatomic/ansible-osbs/) playbook for +deploying OpenShift build service. Please refer to that github repository for +[documentation](https://github.com/projectatomic/ansible-osbs/blob/master/README.md) +and [issue tracker](https://github.com/projectatomic/ansible-osbs/issues). + +Role Variables +-------------- + +The role imports the keys from the machine running ansible. You have to provide +`osbs_secret_files` list, which enumerates what files to import. Elements of +the list are dictionaries with two keys: `source` and `dest`. Source is the +location of the file on the machine where ansible is run. Dest is the filename +of the secret. + + osbs_secret_files: + - source: /home/user/.pulp/pulp.cer + dest: pulp.cer + - source: /home/user/.pulp/pulp.key + dest: pulp.key + +The name of the secret in OpenShift is defined by the `osbs_secret_name` +variable. + + osbs_secret_name: pulpsecret + +The secret has to be associated with a service account. This service account +can be set by the `osbs_secret_service_account` variable. + + osbs_secret_service_account: builder + +We need a kubeconfig file on the remote machine in order to talk to OpenShift. +Its location is contained in the `pulp_secret_kubeconfig`. + + osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig + +Example Playbook +---------------- + +Following playbook imports the keys from my home directory on the machine where +ansible is executed. You may need to run something like this after the current +set of keys expires. + + - hosts: builders + roles: + - role: osbs-secret + osbs_secret_name: pulpsecret + osbs_secret_files: + - source: /home/mmilata/.pulp/pulp.cer + dest: pulp.cer + - source: {{ pulp_secret_local_dir }}/pulp.key + dest: pulp.key + +License +------- + +BSD + +Author Information +------------------ + +Martin Milata <mmilata@redhat.com> diff --git a/roles/osbs-secret/defaults/main.yml b/roles/osbs-secret/defaults/main.yml new file mode 100644 index 0000000000..0e317c61fc --- /dev/null +++ b/roles/osbs-secret/defaults/main.yml @@ -0,0 +1,17 @@ +--- +osbs_secret_name: pulpsecret +osbs_secret_type: Opaque +osbs_secret_service_account: builder +osbs_secret_remote_dir: /var/lib/origin +osbs_secret_can_fail: false + +osbs_secret_files: +- source: /home/user/.pulp/pulp.cer + dest: pulp.cer +- source: /home/user/.pulp/pulp.key + dest: pulp.key + +osbs_namespace: default +osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig +osbs_environment: + KUBECONFIG: "{{ osbs_kubeconfig_path }}" diff --git a/roles/osbs-secret/handlers/main.yml b/roles/osbs-secret/handlers/main.yml new file mode 100644 index 0000000000..b3c0f8a4fa --- /dev/null +++ b/roles/osbs-secret/handlers/main.yml @@ -0,0 +1,22 @@ +--- +- name: import osbs secret + command: > + oc replace + --namespace={{ osbs_namespace }} + --force=true + --filename={{ osbs_secret_remote_dir }}/openshift-secret-{{ inventory_hostname }}-{{ osbs_namespace }}-{{ osbs_secret_name }}.yml + environment: "{{ osbs_environment }}" + notify: allow service account + +- name: allow service account + command: > + oc secrets + add serviceaccount/{{ osbs_secret_service_account }} secrets/{{ osbs_secret_name }} + --for=mount + --namespace={{ osbs_namespace }} + environment: "{{ osbs_environment }}" + +- name: delete secret resource file + file: + path: "{{ osbs_secret_remote_dir }}/openshift-secret-{{ inventory_hostname }}-{{ osbs_namespace }}-{{ osbs_secret_name }}.yml" + state: absent diff --git a/roles/osbs-secret/meta/main.yml b/roles/osbs-secret/meta/main.yml new file mode 100644 index 0000000000..c8d34fb335 --- /dev/null +++ b/roles/osbs-secret/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + author: Martin Milata + description: Import secrets from local filesystem into OpenShift. + company: Red Hat + issue_tracker_url: https://github.com/projectatomic/ansible-osbs/issues + license: BSD + min_ansible_version: 1.2 + platforms: + - name: EL + versions: + - 7 + - name: Fedora + versions: + - 21 + - 22 + categories: + - cloud + - development + - packaging +dependencies: [] diff --git a/roles/osbs-secret/tasks/main.yml b/roles/osbs-secret/tasks/main.yml new file mode 100644 index 0000000000..c1428406bd --- /dev/null +++ b/roles/osbs-secret/tasks/main.yml @@ -0,0 +1,40 @@ +--- +- set_fact: + osbs_secret_files_exist: true + tags: + - oc + +- set_fact: + osbs_secret_files_exist: false + when: lookup('file', lookup('first_found', [item.source, '/dev/null'])) == '' + with_items: "{{ osbs_secret_files }}" + tags: + - oc + +- fail: + msg: Some of the source secret files do not exist (and osbs_secret_can_fail is false) + when: not (osbs_secret_files_exist or osbs_secret_can_fail) + tags: + - oc + +- debug: + msg: Some of the source secret files do not exist, skipping import + when: not osbs_secret_files_exist + tags: + - oc + +- name: create secrets resource file + template: + src: openshift-secret.yml.j2 + dest: "{{ osbs_secret_remote_dir }}/openshift-secret-{{ inventory_hostname }}-{{ osbs_namespace }}-{{ osbs_secret_name }}.yml" + mode: "0600" + when: osbs_secret_files_exist + notify: + - import osbs secret + - delete secret resource file + tags: + - oc + +- meta: flush_handlers + tags: + - oc diff --git a/roles/osbs-secret/templates/openshift-secret.yml.j2 b/roles/osbs-secret/templates/openshift-secret.yml.j2 new file mode 100644 index 0000000000..2b08c05b12 --- /dev/null +++ b/roles/osbs-secret/templates/openshift-secret.yml.j2 @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ osbs_secret_name }} +type: {{ osbs_secret_type }} +data: +{% for f in osbs_secret_files %} + {{ f.dest }}: {{ lookup('file', f.source) | b64encode }} +{% endfor %} +