From 2d3951e5b01b151fce787e0f7339d90d6c4bd26d Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Wed, 7 Dec 2016 04:03:26 +0000 Subject: [PATCH] Switch OSBS Prod to osbs-cluster - remove osbs-master and osbs-node playbooks - add osbs production hosts to osbs-cluster playbook - migrate osbs production buildroot Dockerfile to j2 template (like we have in staging) - add infrastructure repo to buildroot dir and Dockerfile Signed-off-by: Adam Miller --- files/osbs/buildroot-Dockerfile-production | 7 - files/osbs/buildroot-Dockerfile-production.j2 | 9 + files/osbs/buildroot-Dockerfile-staging.j2 | 1 + playbooks/groups/osbs-cluster.yml | 82 +++- playbooks/groups/osbs-master.yml | 428 ------------------ playbooks/groups/osbs-node.yml | 423 ----------------- 6 files changed, 85 insertions(+), 865 deletions(-) delete mode 100644 files/osbs/buildroot-Dockerfile-production create mode 100644 files/osbs/buildroot-Dockerfile-production.j2 delete mode 100644 playbooks/groups/osbs-master.yml delete mode 100644 playbooks/groups/osbs-node.yml diff --git a/files/osbs/buildroot-Dockerfile-production b/files/osbs/buildroot-Dockerfile-production deleted file mode 100644 index 51c1a75bec..0000000000 --- a/files/osbs/buildroot-Dockerfile-production +++ /dev/null @@ -1,7 +0,0 @@ -FROM fedora:latest -RUN dnf -y install docker git python-docker-py python-setuptools e2fsprogs koji python-backports-lzma osbs-client gssproxy fedpkg python-docker-squash -ADD ./atomic-reactor.tar.gz /tmp/ -RUN cd /tmp/atomic-reactor-*/ && python setup.py install -ADD ./ca.crt /etc/pki/ca-trust/source/anchors/osbs.ca.crt -RUN update-ca-trust -CMD ["atomic-reactor", "--verbose", "inside-build"] diff --git a/files/osbs/buildroot-Dockerfile-production.j2 b/files/osbs/buildroot-Dockerfile-production.j2 new file mode 100644 index 0000000000..f8a895b0c8 --- /dev/null +++ b/files/osbs/buildroot-Dockerfile-production.j2 @@ -0,0 +1,9 @@ +FROM fedora:latest +ADD ./infrastructure.repo /etc/yum.repos.d/infrastructure.repo +RUN dnf -y install --refresh dnf-plugins-core && dnf -y install docker git python-docker-py python-setuptools e2fsprogs koji python-backports-lzma osbs-client gssproxy fedpkg python-docker-squash atomic-reactor python-atomic-reactor* +RUN sed -i 's|.*default_ccache_name.*| default_ccache_name = DIR:/tmp/ccache_%{uid}|g' /etc/krb5.conf +ADD ./krb5.osbs_{{osbs_url}}.keytab /etc/ +ADD ./ca.crt /etc/pki/ca-trust/source/anchors/osbs.ca.crt +RUN update-ca-trust +CMD ["python2", "/usr/bin/atomic-reactor", "--verbose", "inside-build"] + diff --git a/files/osbs/buildroot-Dockerfile-staging.j2 b/files/osbs/buildroot-Dockerfile-staging.j2 index 6c3bfd9709..b1ff269eda 100644 --- a/files/osbs/buildroot-Dockerfile-staging.j2 +++ b/files/osbs/buildroot-Dockerfile-staging.j2 @@ -1,4 +1,5 @@ FROM fedora:latest +ADD ./infrastructure.repo /etc/yum.repos.d/infrastructure.repo RUN curl -o /etc/yum.repos.d/maxamillion-atomic-reactor-copr.repo https://copr.fedorainfracloud.org/coprs/maxamillion/atomic-reactor/repo/fedora-24/maxamillion-atomic-reactor-fedora-24.repo RUN dnf -y install --refresh dnf-plugins-core && dnf -y install docker git python-docker-py python-setuptools e2fsprogs koji python-backports-lzma osbs-client gssproxy fedpkg python-docker-squash atomic-reactor python-atomic-reactor* RUN sed -i 's|.*default_ccache_name.*| default_ccache_name = DIR:/tmp/ccache_%{uid}|g' /etc/krb5.conf diff --git a/playbooks/groups/osbs-cluster.yml b/playbooks/groups/osbs-cluster.yml index 336a29907c..a1fbf39cab 100644 --- a/playbooks/groups/osbs-cluster.yml +++ b/playbooks/groups/osbs-cluster.yml @@ -54,7 +54,7 @@ line: "pipelining = True" - name: Setup cluster hosts pre-reqs - hosts: osbs-masters-stg:osbs-nodes-stg + hosts: osbs-masters-stg:osbs-nodes-stg:osbs-masters:osbs-nodes tags: - osbs-cluster-prereq user: root @@ -158,10 +158,29 @@ when: env == 'staging', tags: ['openshift-cluster','ansible-ansible-openshift-ansible'] } + - { + role: ansible-ansible-openshift-ansible, + cluster_inventory_filename: "cluster-inventory", + openshift_htpasswd_file: "/etc/origin/htpasswd", + openshift_master_public_api_url: "https://{{ osbs_url }}:8443", + openshift_release: "v1.3", + openshift_ansible_path: "/root/openshift-ansible", + openshift_ansible_playbook: "playbooks/byo/config.yml", + openshift_ansible_version: "openshift-ansible-3.3.41-1", + openshift_cluster_masters_group: "osbs-masters-stg", + openshift_cluster_nodes_group: "osbs-nodes-stg", + openshift_named_certificates: [{ + cert_file: "named_certificates/{{osbs_url}}.pem", + key_file: "named_certificates/{{osbs_url}}.key", + names: [ "{{osbs_url}}" ], + }], + when: env == 'production', + tags: ['openshift-cluster','ansible-ansible-openshift-ansible'] + } - name: Setup OSBS requirements for OpenShift cluster hosts - hosts: osbs-masters-stg:osbs-nodes-stg + hosts: osbs-masters-stg:osbs-nodes-stg:osbs-masters:osbs-nodes tags: - osbs-cluster-req user: root @@ -211,7 +230,7 @@ dest: "/etc/dnsmasq.d/fedora-dns.conf" - name: Setup requirements for OpenShift master - hosts: osbs-masters-stg + hosts: osbs-masters-stg:osbs-masters tags: - osbs-master-req user: root @@ -293,9 +312,29 @@ osbs_docker_registry_storage: "/opt/openshift-registry", when: env == "staging" } + - { + role: osbs-on-openshift, + osbs_openshift_home: "/var/lib/origin", + osbs_namespace: "default", + osbs_namespace_create: "false", + osbs_kubeconf_path: "/etc/origin/master/admin.kubeconfig", + osbs_environment: [ + KUBECONFIG: "{{ osbs_kubeconfig_path }}" + ], + osbs_service_accounts: [], + osbs_readonly_users: [], + osbs_readonly_groups: [], + osbs_readwrite_users: ["{{ osbs_koji_prod_username }}"], + osbs_readwrite_groups: [ "system:authenticated"], + osbs_admin_users: [], + osbs_admin_groups: [], + osbs_docker_registry: false, + osbs_docker_registry_storage: "/opt/openshift-registry", + when: env == "production" + } - name: Manage docker images and image stream - hosts: osbs-masters-stg[0] + hosts: osbs-masters-stg[0]:osbs-masters[0] tags: - osbs-post-install - manage-docker-images @@ -369,7 +408,7 @@ creates: /etc/origin/fedoraimagestreamcreated - name: post-install master host osbs tasks - hosts: osbs-masters-stg + hosts: osbs-masters-stg:osbs-masters tags: - osbs-post-install vars_files: @@ -424,7 +463,7 @@ - name: post-install osbs tasks - hosts: osbs-masters-stg:osbs-nodes-stg + hosts: osbs-masters-stg:osbs-nodes-stg:osbs-masters:osbs-nodes tags: - osbs-post-install vars_files: @@ -496,6 +535,31 @@ notify: - buildroot container + - name: stat infra repofile + stat: + path: "/etc/yum.repos.d/infrastructure.repo" + register: infra_repo_stat + + - name: stat /etc/osbs/buildroot/ infra repofile + stat: + path: "/etc/osbs/buildroot/infrastructure.repo" + register: etcosbs_infra_repo_stat + + - name: remove old hardlink to /etc/osbs/buildroot/ infra repofile + file: + path: "/etc/osbs/buildroot/infrastructure.repo" + state: absent + when: etcosbs_infra_repo_stat.stat.exists and infra_repo_stat.stat.checksum != etcosbs_infra_repo_stat.stat.checksum + + - name: Hardlink repofile for buildroot container (because Docker) + file: + src: "/etc/yum.repos.d/infrastructure.repo" + dest: "/etc/osbs/buildroot/infrastructure.repo" + state: hard + notify: + - buildroot container + when: etcosbs_infra_repo_stat.stat.exists == false + - name: stat /etc/ keytab stat: path: "/etc/krb5.osbs_{{osbs_url}}.keytab" @@ -552,7 +616,7 @@ - name: Post-Install image stream refresh - hosts: osbs-masters-stg[0] + hosts: osbs-masters-stg[0]:osbs-masters[0] tags: - osbs-post-install vars_files: @@ -566,3 +630,7 @@ shell: "oc import-image fedora --all" when: env == "staging" and hostvars[groups["osbs-masters-stg"][0]]["docker_pull_fedora"]|changed + - name: refresh fedora image streams + shell: "oc import-image fedora --all" + when: env == "production" and hostvars[groups["osbs-masters"][0]]["docker_pull_fedora"]|changed + diff --git a/playbooks/groups/osbs-master.yml b/playbooks/groups/osbs-master.yml deleted file mode 100644 index 702ffb4a82..0000000000 --- a/playbooks/groups/osbs-master.yml +++ /dev/null @@ -1,428 +0,0 @@ -# create an osbs server -- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs:osbs-stg" - -- name: make the box be real - hosts: osbs:osbs-stg - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - roles: - - base - - rkhunter - - nagios/client - - hosts - - fas_client - - collectd/base - - rsyncd - - sudo - - { role: openvpn/client, - when: env != "staging" } - - tasks: - - include: "{{ tasks }}/yumrepos.yml" - - include: "{{ tasks }}/2fa_client.yml" - - include: "{{ tasks }}/motd.yml" - - handlers: - - include: "{{ handlers }}/restart_services.yml" - -- name: pre-install osbs tasks - hosts: osbs:osbs-stg - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - /srv/private/ansible/vars.yml - - /srv/private/ansible/files/openstack/passwords.yml - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - tasks: - - name: cron entry to clean up docker storage - copy: - src: "{{files}}/osbs/cleanup-docker-storage" - dest: "/etc/cron.d/cleanup-docker-storage" - - - name: copy docker-storage-setup config - copy: - src: "{{files}}/osbs/docker-storage-setup" - dest: "/etc/sysconfig/docker-storage-setup" - - - name: create cert dir for openshift public facing REST API SSL - file: - path: "/etc/origin/master/named_certificates" - state: "directory" - - - name: install cert for openshift public facing REST API SSL - copy: - src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem" - dest: "/etc/origin/master/named_certificates/{{osbs_url}}.pem" - - - name: install key for openshift public facing REST API SSL - copy: - src: "{{private}}/files/osbs/{{env}}/osbs-internal.key" - dest: "/etc/origin/master/named_certificates/{{osbs_url}}.key" - - - name: ensure origin conf dir exists - file: - path: "/etc/origin" - state: "directory" - - - name: place htpasswd file - copy: - src: "{{private}}/files/httpd/osbs-{{env}}.htpasswd" - dest: /etc/origin/htpasswd - - roles: - - { - role: push-docker, - docker_cert_name: "containerbuild", - docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org", - when: env == "staging" - } - - { - role: push-docker, - docker_cert_name: "containerbuild", - docker_cert_dir: "/etc/docker/certs.d/candidate-registry.fedoraproject.org", - when: env == "production" - } - -- name: setup osbs - hosts: osbs:osbs-stg - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - /srv/private/ansible/vars.yml - - /srv/private/ansible/files/openstack/passwords.yml - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - roles: - - osbs-atomic-reactor - - { - role: osbs-common, - osbs_manage_firewalld: false, - } - - osbs-install-openshift - - { - role: osbs-master, - osbs_openshift_loglevel: 2, - osbs_master_export_port: true, - osbs_manage_firewalld: false, - osbs_proxy_cert_file: '/etc/origin/proxy_selfsigned.crt', - osbs_proxy_key_file: '/etc/origin/proxy_selfsigned.key', - osbs_proxy_certkey_file: '/etc/origin/proxy_certkey.crt', - osbs_proxy_ca_file: '/etc/origin/proxy_selfsigned.crt', - osbs_readonly_users: [], - osbs_readonly_groups: [], - osbs_readwrite_users: [ "{{ osbs_koji_stg_username }}" ], - osbs_readwrite_groups: [], - osbs_admin_users: [], - osbs_admin_groups: [], - osbs_master_max_pods: 3, - osbs_update_packages: false, - osbs_image_gc_high_threshold: 90, - osbs_image_gc_low_threshold: 80, - osbs_identity_provider: "htpasswd_provider", - osbs_identity_htpasswd: { - name: htpasswd_provider, - challenge: true, - login: true, - provider_file: "/etc/origin/htpasswd" - }, - osbs_named_certificates: { - enabled: true, - cert_file: "named_certificates/{{osbs_url}}.pem", - key_file: "named_certificates/{{osbs_url}}.key", - names: [ "{{osbs_url}}" ], - }, - osbs_public_api_url: "{{osbs_url}}", - when: env == "staging" - } - - { - role: osbs-master, - osbs_openshift_loglevel: 2, - osbs_master_export_port: true, - osbs_manage_firewalld: false, - osbs_proxy_cert_file: '/etc/origin/proxy_selfsigned.crt', - osbs_proxy_key_file: '/etc/origin/proxy_selfsigned.key', - osbs_proxy_certkey_file: '/etc/origin/proxy_certkey.crt', - osbs_proxy_ca_file: '/etc/origin/proxy_selfsigned.crt', - osbs_readonly_users: [], - osbs_readonly_groups: [], - osbs_readwrite_users: [ "{{ osbs_koji_prod_username }}" ], - osbs_readwrite_groups: [], - osbs_admin_users: [], - osbs_admin_groups: [], - osbs_master_max_pods: 3, - osbs_update_packages: false, - osbs_image_gc_high_threshold: 90, - osbs_image_gc_low_threshold: 80, - osbs_identity_provider: "htpasswd_provider", - osbs_identity_htpasswd: { - name: htpasswd_provider, - challenge: true, - login: true, - provider_file: "/etc/origin/htpasswd" - }, - osbs_named_certificates: { - enabled: true, - cert_file: "named_certificates/{{osbs_url}}.pem", - key_file: "named_certificates/{{osbs_url}}.key", - names: [ "{{osbs_url}}" ], - }, - osbs_public_api_url: "{{osbs_url}}", - when: env == "production" - } - - - { - role: osbs-client, - general: { - verbose: 0, - build_json_dir: '/usr/share/osbs/', - openshift_required_version: 1.1.0, - }, - default: { - username: "{{ osbs_koji_stg_username }}", - password: "{{ osbs_koji_stg_password }}", - koji_certs_secret: "koji", - openshift_url: 'https://{{osbs_url}}/', - registry_uri: 'https://{{docker_registry}}/v2', - source_registry_uri: 'https://{{source_registry}}/v2', - build_host: '{{osbs_url}}', - koji_root: 'https://{{koji_url}}/koji', - koji_hub: 'https://{{koji_url}}/kojihub', - sources_command: 'fedpkg sources', - build_type: 'prod', - authoritative_registry: 'registry.example.com', - vendor: 'Fedora Project', - verify_ssl: true, - use_auth: true, - builder_use_auth: true, - distribution_scope: 'private', - registry_api_versions: 'v2', - builder_openshift_url: 'https://172.17.0.1:8443/' - }, - when: env == "staging" - } - - { - role: osbs-client, - general: { - verbose: 0, - build_json_dir: '/usr/share/osbs/', - openshift_required_version: 1.1.0, - }, - default: { - username: "{{ osbs_koji_prod_username }}", - password: "{{ osbs_koji_prod_password }}", - koji_certs_secret: "koji", - openshift_url: 'https://{{osbs_url}}/', - registry_uri: 'https://{{docker_registry}}/v2', - source_registry_uri: 'https://{{source_registry}}/v2', - build_host: '{{osbs_url}}', - koji_root: 'https://{{koji_url}}/koji', - koji_hub: 'https://{{koji_url}}/kojihub', - sources_command: 'fedpkg sources', - build_type: 'prod', - authoritative_registry: 'registry.example.com', - vendor: 'Fedora Project', - verify_ssl: true, - use_auth: true, - builder_use_auth: true, - distribution_scope: 'private', - registry_api_versions: 'v2', - builder_openshift_url: 'https://172.17.0.1:8443/' - }, - when: env == "production" - } - -- name: post-install osbs tasks - hosts: osbs:osbs-stg - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - /srv/private/ansible/vars.yml - - /srv/private/ansible/files/openstack/passwords.yml - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - vars: - osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig - osbs_environment: - KUBECONFIG: "{{ osbs_kubeconfig_path }}" - koji_pki_dir: /etc/pki/koji - koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert" - koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem" - koji_builder_user: dockerbuilder - osbs_builder_user: builder - - - handlers: - - name: buildroot container - shell: 'docker build --no-cache --rm -t buildroot /etc/osbs/buildroot/' - - - name: oc secrets new - shell: "oc secrets new koji cert={{ koji_cert_path }} ca={{ koji_ca_cert_path }} serverca={{ koji_ca_cert_path }}" - environment: "{{ osbs_environment }}" - notify: oc secrets add - - - name: oc secrets add - shell: "oc secrets add serviceaccount/{{ osbs_builder_user }} secrets/koji --for=mount" - environment: "{{ osbs_environment }}" - - - tasks: - - name: set nrpe read access for osbs.conf for nagios monitoring - acl: name={{ osbs_client_conf_path }} entity=nrpe etype=user permissions=r state=present - - - name: pull fedora required docker images - shell: "docker pull {{item}}" - with_items: "{{fedora_required_images}}" - delegate_to: compose-x86-01.phx2.fedoraproject.org - register: docker_pull_fedora_delegated - changed_when: "'Downloaded newer image' in docker_pull_fedora_delegated.stdout" - - - name: tag fedora required docker images for our registry - shell: "docker tag {{item}} {{docker_registry}}/{{item}}" - with_items: "{{fedora_required_images}}" - delegate_to: compose-x86-01.phx2.fedoraproject.org - when: docker_pull_fedora_delegated|changed - - - name: push fedora required docker images to our registry - shell: "docker push {{docker_registry}}/{{item}}" - with_items: "{{fedora_required_images}}" - delegate_to: compose-x86-01.phx2.fedoraproject.org - when: docker_pull_fedora_delegated|changed - - - name: register origin_version_out rpm query - shell: "rpm -q origin --qf '%{Version}'" - register: origin_version_out - check_mode: no - changed_when: False - - - set_fact: - origin_version: "{{origin_version_out.stdout}}" - - - name: pull openshift required docker images - shell: "docker pull {{item}}:v{{origin_version}}" - with_items: "{{openshift_required_images}}" - delegate_to: compose-x86-01.phx2.fedoraproject.org - register: docker_pull_openshift_delegated - changed_when: "'Downloaded newer image' in docker_pull_openshift_delegated.stdout" - - - name: tag openshift required docker images for our registry - shell: "docker tag {{item}}:v{{origin_version}} {{docker_registry}}/{{item}}:v{{origin_version}}" - with_items: "{{openshift_required_images}}" - delegate_to: compose-x86-01.phx2.fedoraproject.org - when: docker_pull_openshift_delegated|changed - - - name: push openshift required docker images to our registry - shell: "docker push {{docker_registry}}/{{item}}:v{{origin_version}}" - with_items: "{{openshift_required_images}}" - delegate_to: compose-x86-01.phx2.fedoraproject.org - when: docker_pull_openshift_delegated|changed - - - name: Ensure koji dockerbuilder cert path exists - file: - path: "{{ koji_pki_dir }}" - state: "directory" - mode: 0400 - - - name: Add koji dockerbuilder cert for Content Generator import - copy: - src: "{{private}}/files/koji/containerbuild.pem" - dest: "{{ koji_cert_path }}" - notify: oc secrets new - - - name: Add koji dockerbuilder ca cert for Content Generator import - copy: - src: "{{private}}/files/koji/buildercerts/fedora-ca.cert" - dest: "{{ koji_ca_cert_path }}" - notify: oc secrets new - - - name: create fedora image stream for OpenShift - shell: "echo '{ \"apiVersion\": \"v1\", \"kind\": \"ImageStream\", \"metadata\": { \"name\": \"fedora\" }, \"spec\": { \"dockerImageRepository\": \"{{docker_registry}}/fedora\" } }' | oc create -f - && touch /etc/origin/fedoraimagestreamcreated" - environment: "{{ osbs_environment }}" - args: - creates: /etc/origin/fedoraimagestreamcreated - - - name: set policy for koji builder in openshift for osbs - shell: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_stg_username }} && touch /etc/origin/koji-builder-policy-added" - args: - creates: "/etc/origin/koji-builder-policy-added" - when: env == "staging" - - - name: set policy for koji builder in openshift for osbs - shell: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_prod_username }} && touch /etc/origin/koji-builder-policy-added" - args: - creates: "/etc/origin/koji-builder-policy-added" - when: env == "production" - - - name: set policy for koji builder in openshift for atomic-reactor - shell: "oadm policy add-role-to-user -n default edit system:serviceaccount:default:builder && touch /etc/origin/atomic-reactor-policy-added" - args: - creates: "/etc/origin/atomic-reactor-policy-added" - - - name: Create buildroot container conf directory - file: - path: "/etc/osbs/buildroot/" - state: directory - - - name: Upload Dockerfile for buildroot container - copy: - src: "{{ files }}/osbs/buildroot-Dockerfile-{{env}}" - dest: "/etc/osbs/buildroot/Dockerfile" - mode: 0400 - notify: - - buildroot container - - - name: Upload internal CA for buildroot - copy: - src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem" - dest: "/etc/osbs/buildroot/ca.crt" - mode: 0400 - notify: - - buildroot container - - - name: stat /usr/share/atomic-reactor/atomic-reactor.tar.gz - stat: - path: /usr/share/atomic-reactor/atomic-reactor.tar.gz - register: usr_ar_stat - - - name: stat /etc/osbs/buildroot/atomic-reactor.tar.gz - stat: - path: /etc/osbs/buildroot/atomic-reactor.tar.gz - register: etc_ar_stat - - - name: remove old hardlink to /etc/osbs/buildroot/atomic-reactor.tar.gz - file: - path: /etc/osbs/buildroot/atomic-reactor.tar.gz - state: absent - when: etc_ar_stat.stat.exists and usr_ar_stat.stat.checksum != etc_ar_stat.stat.checksum - - - name: Hardlink atomic-reactor source for buildroot container (because Docker) - file: - src: /usr/share/atomic-reactor/atomic-reactor.tar.gz - dest: /etc/osbs/buildroot/atomic-reactor.tar.gz - state: hard - notify: - - buildroot container - when: etc_ar_stat.stat.exists and usr_ar_stat.stat.checksum != etc_ar_stat.stat.checksum - - - name: pull fedora required docker images - shell: "docker pull {{docker_registry}}/{{item}}" - with_items: "{{fedora_required_images}}" - register: docker_pull_fedora - changed_when: "'Downloaded newer image' in docker_pull_fedora.stdout" - - - name: pull openshift required docker images - shell: "docker pull {{docker_registry}}/{{item}}:v{{origin_version}}" - with_items: "{{openshift_required_images}}" - register: docker_pull_openshift - changed_when: "'Downloaded newer image' in docker_pull_openshift.stdout" - - - name: tag openshift required docker images locally - shell: "docker tag {{docker_registry}}/{{item}}:v{{origin_version}} {{item}}:v{{origin_version}}" - with_items: "{{openshift_required_images}}" - when: docker_pull_openshift|changed - - - name: refresh fedora image streams - shell: "oc import-image fedora --all" - when: docker_pull_fedora|changed diff --git a/playbooks/groups/osbs-node.yml b/playbooks/groups/osbs-node.yml deleted file mode 100644 index c81decd1f3..0000000000 --- a/playbooks/groups/osbs-node.yml +++ /dev/null @@ -1,423 +0,0 @@ -# create an osbs server -- include: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs-nodes:osbs-nodes-stg" - -- name: make the box be real - hosts: osbs-nodes - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - roles: - - base - - rkhunter - - nagios/client - - hosts - - fas_client - - collectd/base - - rsyncd - - sudo - - { role: openvpn/client, - when: env != "staging" } - - tasks: - - include: "{{ tasks }}/yumrepos.yml" - - include: "{{ tasks }}/2fa_client.yml" - - include: "{{ tasks }}/motd.yml" - - handlers: - - include: "{{ handlers }}/restart_services.yml" - -# - name: pre-install osbs tasks -# hosts: osbs-nodes:osbs-nodes-stg -# vars_files: -# - /srv/web/infra/ansible/vars/global.yml -# - /srv/private/ansible/vars.yml -# - /srv/private/ansible/files/openstack/passwords.yml -# - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - -# tasks: -# - name: copy docker-storage-setup config -# copy: -# src: "{{files}}/osbs/docker-storage-setup" -# dest: "/etc/sysconfig/docker-storage-setup" - -# - name: create cert dir for openshift public facing REST API SSL -# file: -# path: "/etc/origin/master/named_certificates" -# state: "directory" - -# - name: install cert for openshift public facing REST API SSL -# copy: -# src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem" -# dest: "/etc/origin/master/named_certificates/{{osbs_url}}.pem" - -# - name: install key for openshift public facing REST API SSL -# copy: -# src: "{{private}}/files/osbs/{{env}}/osbs-internal.key" -# dest: "/etc/origin/master/named_certificates/{{osbs_url}}.key" - -# - name: ensure origin conf dir exists -# file: -# path: "/etc/origin" -# state: "directory" - -# - name: place htpasswd file -# copy: -# src: "{{private}}/files/httpd/osbs-{{env}}.htpasswd" -# dest: /etc/origin/htpasswd - -# roles: -# - { -# role: push-docker, -# docker_cert_name: "containerbuild", -# docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org", -# when: env == "staging" -# } -# - { -# role: push-docker, -# docker_cert_name: "containerbuild", -# docker_cert_dir: "/etc/docker/certs.d/candidate-registry.fedoraproject.org", -# when: env == "production" -# } - -# - name: setup osbs -# hosts: osbs-nodes:osbs-nodes-stg -# vars_files: -# - /srv/web/infra/ansible/vars/global.yml -# - /srv/private/ansible/vars.yml -# - /srv/private/ansible/files/openstack/passwords.yml -# - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - -# roles: -# - osbs-atomic-reactor -# - { -# role: osbs-common, -# osbs_manage_firewalld: false, -# } -# - osbs-install-openshift -# - { -# role: osbs-master, -# osbs_openshift_loglevel: 2, -# osbs_master_export_port: true, -# osbs_manage_firewalld: false, -# osbs_proxy_cert_file: '/etc/origin/proxy_selfsigned.crt', -# osbs_proxy_key_file: '/etc/origin/proxy_selfsigned.key', -# osbs_proxy_certkey_file: '/etc/origin/proxy_certkey.crt', -# osbs_proxy_ca_file: '/etc/origin/proxy_selfsigned.crt', -# osbs_readonly_users: [], -# osbs_readonly_groups: [], -# osbs_readwrite_users: [ "{{ osbs_koji_stg_username }}" ], -# osbs_readwrite_groups: [], -# osbs_admin_users: [], -# osbs_admin_groups: [], -# osbs_master_max_pods: 3, -# osbs_update_packages: false, -# osbs_image_gc_high_threshold: 90, -# osbs_image_gc_low_threshold: 80, -# osbs_identity_provider: "htpasswd_provider", -# osbs_identity_htpasswd: { -# name: htpasswd_provider, -# challenge: true, -# login: true, -# provider_file: "/etc/origin/htpasswd" -# }, -# osbs_named_certificates: { -# enabled: true, -# cert_file: "named_certificates/{{osbs_url}}.pem", -# key_file: "named_certificates/{{osbs_url}}.key", -# names: [ "{{osbs_url}}" ], -# }, -# osbs_public_api_url: "{{osbs_url}}", -# when: env == "staging" -# } -# - { -# role: osbs-master, -# osbs_openshift_loglevel: 2, -# osbs_master_export_port: true, -# osbs_manage_firewalld: false, -# osbs_proxy_cert_file: '/etc/origin/proxy_selfsigned.crt', -# osbs_proxy_key_file: '/etc/origin/proxy_selfsigned.key', -# osbs_proxy_certkey_file: '/etc/origin/proxy_certkey.crt', -# osbs_proxy_ca_file: '/etc/origin/proxy_selfsigned.crt', -# osbs_readonly_users: [], -# osbs_readonly_groups: [], -# osbs_readwrite_users: [ "{{ osbs_koji_prod_username }}" ], -# osbs_readwrite_groups: [], -# osbs_admin_users: [], -# osbs_admin_groups: [], -# osbs_master_max_pods: 3, -# osbs_update_packages: false, -# osbs_image_gc_high_threshold: 90, -# osbs_image_gc_low_threshold: 80, -# osbs_identity_provider: "htpasswd_provider", -# osbs_identity_htpasswd: { -# name: htpasswd_provider, -# challenge: true, -# login: true, -# provider_file: "/etc/origin/htpasswd" -# }, -# osbs_named_certificates: { -# enabled: true, -# cert_file: "named_certificates/{{osbs_url}}.pem", -# key_file: "named_certificates/{{osbs_url}}.key", -# names: [ "{{osbs_url}}" ], -# }, -# osbs_public_api_url: "{{osbs_url}}", -# when: env == "production" -# } - -# - { -# role: osbs-client, -# general: { -# verbose: 0, -# build_json_dir: '/usr/share/osbs/', -# openshift_required_version: 1.1.0, -# }, -# default: { -# username: "{{ osbs_koji_stg_username }}", -# password: "{{ osbs_koji_stg_password }}", -# koji_certs_secret: "koji", -# openshift_url: 'https://{{osbs_url}}/', -# registry_uri: 'https://{{docker_registry}}/v2', -# source_registry_uri: 'https://{{source_registry}}/v2', -# build_host: '{{osbs_url}}', -# koji_root: 'https://{{koji_url}}/koji', -# koji_hub: 'https://{{koji_url}}/kojihub', -# sources_command: 'fedpkg sources', -# build_type: 'prod', -# authoritative_registry: 'registry.example.com', -# vendor: 'Fedora Project', -# verify_ssl: true, -# use_auth: true, -# builder_use_auth: true, -# distribution_scope: 'private', -# registry_api_versions: 'v2', -# builder_openshift_url: 'https://172.17.0.1:8443/' -# }, -# when: env == "staging" -# } -# - { -# role: osbs-client, -# general: { -# verbose: 0, -# build_json_dir: '/usr/share/osbs/', -# openshift_required_version: 1.1.0, -# }, -# default: { -# username: "{{ osbs_koji_prod_username }}", -# password: "{{ osbs_koji_prod_password }}", -# koji_certs_secret: "koji", -# openshift_url: 'https://{{osbs_url}}/', -# registry_uri: 'https://{{docker_registry}}/v2', -# source_registry_uri: 'https://{{source_registry}}/v2', -# build_host: '{{osbs_url}}', -# koji_root: 'https://{{koji_url}}/koji', -# koji_hub: 'https://{{koji_url}}/kojihub', -# sources_command: 'fedpkg sources', -# build_type: 'prod', -# authoritative_registry: 'registry.example.com', -# vendor: 'Fedora Project', -# verify_ssl: true, -# use_auth: true, -# builder_use_auth: true, -# distribution_scope: 'private', -# registry_api_versions: 'v2', -# builder_openshift_url: 'https://172.17.0.1:8443/' -# }, -# when: env == "production" -# } - -# - name: post-install osbs tasks -# hosts: osbs-nodes:osbs-nodes-stg -# vars_files: -# - /srv/web/infra/ansible/vars/global.yml -# - /srv/private/ansible/vars.yml -# - /srv/private/ansible/files/openstack/passwords.yml -# - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml -# vars: -# osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig -# osbs_environment: -# KUBECONFIG: "{{ osbs_kubeconfig_path }}" -# koji_pki_dir: /etc/pki/koji -# koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert" -# koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem" -# koji_builder_user: dockerbuilder -# osbs_builder_user: builder - - -# handlers: -# - name: buildroot container -# shell: 'docker build --no-cache --rm -t buildroot /etc/osbs/buildroot/' - -# - name: oc secrets new -# shell: "oc secrets new koji cert={{ koji_cert_path }} ca={{ koji_ca_cert_path }} serverca={{ koji_ca_cert_path }}" -# environment: "{{ osbs_environment }}" -# notify: oc secrets add - -# - name: oc secrets add -# shell: "oc secrets add serviceaccount/{{ osbs_builder_user }} secrets/koji --for=mount" -# environment: "{{ osbs_environment }}" - - -# tasks: -# - name: set nrpe read access for osbs.conf for nagios monitoring -# acl: name={{ osbs_client_conf_path }} entity=nrpe etype=user permissions=r state=present - -# - name: pull fedora required docker images -# shell: "docker pull {{item}}" -# with_items: "{{fedora_required_images}}" -# delegate_to: compose-x86-01.phx2.fedoraproject.org -# register: docker_pull_fedora_delegated -# changed_when: "'Downloaded newer image' in docker_pull_fedora_delegated.stdout" - -# - name: tag fedora required docker images for our registry -# shell: "docker tag {{item}} {{docker_registry}}/{{item}}" -# with_items: "{{fedora_required_images}}" -# delegate_to: compose-x86-01.phx2.fedoraproject.org -# when: docker_pull_fedora_delegated|changed - -# - name: push fedora required docker images to our registry -# shell: "docker push {{docker_registry}}/{{item}}" -# with_items: "{{fedora_required_images}}" -# delegate_to: compose-x86-01.phx2.fedoraproject.org -# when: docker_pull_fedora_delegated|changed - -# - name: register origin_version_out rpm query -# shell: "rpm -q origin --qf '%{Version}'" -# register: origin_version_out -# check_mode: no -# changed_when: False - -# - set_fact: -# origin_version: "{{origin_version_out.stdout}}" - -# - name: pull openshift required docker images -# shell: "docker pull {{item}}:v{{origin_version}}" -# with_items: "{{openshift_required_images}}" -# delegate_to: compose-x86-01.phx2.fedoraproject.org -# register: docker_pull_openshift_delegated -# changed_when: "'Downloaded newer image' in docker_pull_openshift_delegated.stdout" - -# - name: tag openshift required docker images for our registry -# shell: "docker tag {{item}}:v{{origin_version}} {{docker_registry}}/{{item}}:v{{origin_version}}" -# with_items: "{{openshift_required_images}}" -# delegate_to: compose-x86-01.phx2.fedoraproject.org -# when: docker_pull_openshift_delegated|changed - -# - name: push openshift required docker images to our registry -# shell: "docker push {{docker_registry}}/{{item}}:v{{origin_version}}" -# with_items: "{{openshift_required_images}}" -# delegate_to: compose-x86-01.phx2.fedoraproject.org -# when: docker_pull_openshift_delegated|changed - -# - name: Ensure koji dockerbuilder cert path exists -# file: -# path: "{{ koji_pki_dir }}" -# state: "directory" -# mode: 0400 - -# - name: Add koji dockerbuilder cert for Content Generator import -# copy: -# src: "{{private}}/files/koji/containerbuild.pem" -# dest: "{{ koji_cert_path }}" -# notify: oc secrets new - -# - name: Add koji dockerbuilder ca cert for Content Generator import -# copy: -# src: "{{private}}/files/koji/buildercerts/fedora-ca.cert" -# dest: "{{ koji_ca_cert_path }}" -# notify: oc secrets new - -# - name: create fedora image stream for OpenShift -# shell: "echo '{ \"apiVersion\": \"v1\", \"kind\": \"ImageStream\", \"metadata\": { \"name\": \"fedora\" }, \"spec\": { \"dockerImageRepository\": \"{{docker_registry}}/fedora\" } }' | oc create -f - && touch /etc/origin/fedoraimagestreamcreated" -# environment: "{{ osbs_environment }}" -# args: -# creates: /etc/origin/fedoraimagestreamcreated - -# - name: set policy for koji builder in openshift for osbs -# shell: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_stg_username }} && touch /etc/origin/koji-builder-policy-added" -# args: -# creates: "/etc/origin/koji-builder-policy-added" -# when: env == "staging" - -# - name: set policy for koji builder in openshift for osbs -# shell: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_prod_username }} && touch /etc/origin/koji-builder-policy-added" -# args: -# creates: "/etc/origin/koji-builder-policy-added" -# when: env == "production" - -# - name: set policy for koji builder in openshift for atomic-reactor -# shell: "oadm policy add-role-to-user -n default edit system:serviceaccount:default:builder && touch /etc/origin/atomic-reactor-policy-added" -# args: -# creates: "/etc/origin/atomic-reactor-policy-added" - -# - name: Create buildroot container conf directory -# file: -# path: "/etc/osbs/buildroot/" -# state: directory - -# - name: Upload Dockerfile for buildroot container -# copy: -# src: "{{ files }}/osbs/buildroot-Dockerfile-{{env}}" -# dest: "/etc/osbs/buildroot/Dockerfile" -# mode: 0400 -# notify: -# - buildroot container - -# - name: Upload internal CA for buildroot -# copy: -# src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem" -# dest: "/etc/osbs/buildroot/ca.crt" -# mode: 0400 -# notify: -# - buildroot container - -# - name: stat /usr/share/atomic-reactor/atomic-reactor.tar.gz -# stat: -# path: /usr/share/atomic-reactor/atomic-reactor.tar.gz -# register: usr_ar_stat - -# - name: stat /etc/osbs/buildroot/atomic-reactor.tar.gz -# stat: -# path: /etc/osbs/buildroot/atomic-reactor.tar.gz -# register: etc_ar_stat - -# - name: remove old hardlink to /etc/osbs/buildroot/atomic-reactor.tar.gz -# file: -# path: /etc/osbs/buildroot/atomic-reactor.tar.gz -# state: absent -# when: etc_ar_stat.stat.exists and usr_ar_stat.stat.checksum != etc_ar_stat.stat.checksum - -# - name: Hardlink atomic-reactor source for buildroot container (because Docker) -# file: -# src: /usr/share/atomic-reactor/atomic-reactor.tar.gz -# dest: /etc/osbs/buildroot/atomic-reactor.tar.gz -# state: hard -# notify: -# - buildroot container -# when: etc_ar_stat.stat.exists and usr_ar_stat.stat.checksum != etc_ar_stat.stat.checksum - -# - name: pull fedora required docker images -# shell: "docker pull {{docker_registry}}/{{item}}" -# with_items: "{{fedora_required_images}}" -# register: docker_pull_fedora -# changed_when: "'Downloaded newer image' in docker_pull_fedora.stdout" - -# - name: pull openshift required docker images -# shell: "docker pull {{docker_registry}}/{{item}}:v{{origin_version}}" -# with_items: "{{openshift_required_images}}" -# register: docker_pull_openshift -# changed_when: "'Downloaded newer image' in docker_pull_openshift.stdout" - -# - name: tag openshift required docker images locally -# shell: "docker tag {{docker_registry}}/{{item}}:v{{origin_version}} {{item}}:v{{origin_version}}" -# with_items: "{{openshift_required_images}}" -# when: docker_pull_openshift|changed - -# - name: refresh fedora image streams -# shell: "oc import-image fedora --all" -# when: docker_pull_fedora|changed