From 727425e268ffa3d138c6d95248a612af3d1eb3fb Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 27 Oct 2016 16:55:51 +0000 Subject: [PATCH] add koji auth to osbs-cluster, handle osbs + postinstall tasks Signed-off-by: Adam Miller --- playbooks/groups/osbs-cluster.yml | 278 +++++++++++++++++- .../templates/cluster-inventory.j2 | 5 +- 2 files changed, 278 insertions(+), 5 deletions(-) diff --git a/playbooks/groups/osbs-cluster.yml b/playbooks/groups/osbs-cluster.yml index ae6dfc49d1..36053cb198 100644 --- a/playbooks/groups/osbs-cluster.yml +++ b/playbooks/groups/osbs-cluster.yml @@ -50,6 +50,8 @@ - name: Setup cluster hosts pre-reqs hosts: osbs-masters-stg:osbs-nodes-stg + tags: + - osbs-cluster-prereq user: root gather_facts: True @@ -73,6 +75,8 @@ - name: Deploy OpenShift Cluster hosts: osbs-control:osbs-control-stg + tags: + - osbs-deploy-openshift user: root gather_facts: True @@ -85,19 +89,28 @@ - { role: ansible-ansible-openshift-ansible, cluster_inventory_filename: "cluster-inventory-stg", + openshift_htpasswd_file: "/etc/origin/htpasswd", + openshift_master_public_api_url: "https://{{ osbs_url }}:8443", openshift_release: "v1.3", openshift_ansible_path: "/root/openshift-ansible", openshift_ansible_playbook: "playbooks/byo/config.yml", openshift_ansible_refspec: "openshift-ansible-3.3.38-1", openshift_cluster_masters_group: "osbs-masters-stg", openshift_cluster_nodes_group: "osbs-nodes-stg", + openshift_named_certificates: [{ + cert_file: "named_certificates/{{osbs_url}}.pem", + key_file: "named_certificates/{{osbs_url}}.key", + names: [ "{{osbs_url}}" ], + }], when: env == 'staging', tags: ['openshift-cluster','ansible-ansible-openshift-ansible'] } -- name: Setup OSBS requirements on hosts in the cluster +- name: Setup OSBS requirements for OpenShift cluster hosts hosts: osbs-masters-stg:osbs-nodes-stg + tags: + - osbs-cluster-req user: root gather_facts: True @@ -107,10 +120,76 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - - osbs-common + - { + role: osbs-common, + osbs_manage_firewalld: false, + } + - osbs-atomic-reactor + - { + role: push-docker, + docker_cert_name: "containerbuild", + docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org", + when: env == "staging" + } + - { + role: push-docker, + docker_cert_name: "containerbuild", + docker_cert_dir: "/etc/docker/certs.d/candidate-registry.fedoraproject.org", + when: env == "production" + } + + tasks: + - name: cron entry to clean up docker storage + copy: + src: "{{files}}/osbs/cleanup-docker-storage" + dest: "/etc/cron.d/cleanup-docker-storage" + + - name: copy docker-storage-setup config + copy: + src: "{{files}}/osbs/docker-storage-setup" + dest: "/etc/sysconfig/docker-storage-setup" + + - name: create cert dir for openshift public facing REST API SSL + file: + path: "/etc/origin/master/named_certificates" + state: "directory" + +- name: Setup requirements for OpenShift master + hosts: osbs-masters-stg:osbs-nodes-stg + tags: + - osbs-master-req + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + - name: install cert for openshift public facing REST API SSL + copy: + src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem" + dest: "/etc/origin/master/named_certificates/{{osbs_url}}.pem" + + - name: install key for openshift public facing REST API SSL + copy: + src: "{{private}}/files/osbs/{{env}}/osbs-internal.key" + dest: "/etc/origin/master/named_certificates/{{osbs_url}}.key" + + - name: ensure origin conf dir exists + file: + path: "/etc/origin" + state: "directory" + + - name: place htpasswd file + copy: + src: "{{private}}/files/httpd/osbs-{{env}}.htpasswd" + dest: /etc/origin/htpasswd - name: Deploy OSBS on top of OpenShift hosts: osbs-masters-stg[0]:osbs-masters[0] + tags: + - osbs-deploy-on-openshift user: root gather_facts: True @@ -132,7 +211,7 @@ osbs_service_accounts: [], osbs_readonly_users: [], osbs_readonly_groups: [], - osbs_readwrite_users: [], + osbs_readwrite_users: ["{{ osbs_koji_stg_username }}"], osbs_readwrite_groups: [ "system:authenticated"], osbs_admin_users: [], osbs_admin_groups: [], @@ -140,3 +219,196 @@ osbs_docker_registry_storage: "/opt/openshift-registry", when: env == "staging" } + +- name: post-install osbs tasks + hosts: osbs-masters-stg:osbs-nodes-stg + tags: + - osbs-post-install + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - /srv/private/ansible/vars.yml + - /srv/private/ansible/files/openstack/passwords.yml + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + vars: + osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig + osbs_environment: + KUBECONFIG: "{{ osbs_kubeconfig_path }}" + koji_pki_dir: /etc/pki/koji + koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert" + koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem" + koji_builder_user: dockerbuilder + osbs_builder_user: builder + + + handlers: + - name: buildroot container + shell: 'docker build --no-cache --rm -t buildroot /etc/osbs/buildroot/' + + - name: oc secrets new + shell: "oc secrets new koji cert={{ koji_cert_path }} ca={{ koji_ca_cert_path }} serverca={{ koji_ca_cert_path }}" + environment: "{{ osbs_environment }}" + notify: oc secrets add + + - name: oc secrets add + shell: "oc secrets add serviceaccount/{{ osbs_builder_user }} secrets/koji --for=mount" + environment: "{{ osbs_environment }}" + + tasks: + - name: set nrpe read access for osbs.conf for nagios monitoring + acl: name={{ osbs_client_conf_path }} entity=nrpe etype=user permissions=r state=present + + - name: pull fedora required docker images + shell: "docker pull {{item}}" + with_items: "{{fedora_required_images}}" + delegate_to: compose-x86-01.phx2.fedoraproject.org + register: docker_pull_fedora_delegated + changed_when: "'Downloaded newer image' in docker_pull_fedora_delegated.stdout" + + - name: tag fedora required docker images for our registry + shell: "docker tag {{item}} {{docker_registry}}/{{item}}" + with_items: "{{fedora_required_images}}" + delegate_to: compose-x86-01.phx2.fedoraproject.org + when: docker_pull_fedora_delegated|changed + + - name: push fedora required docker images to our registry + shell: "docker push {{docker_registry}}/{{item}}" + with_items: "{{fedora_required_images}}" + delegate_to: compose-x86-01.phx2.fedoraproject.org + when: docker_pull_fedora_delegated|changed + + - name: register origin_version_out rpm query + shell: "rpm -q origin --qf '%{Version}'" + register: origin_version_out + always_run: true + changed_when: False + + - set_fact: + origin_version: "{{origin_version_out.stdout}}" + + - name: pull openshift required docker images + shell: "docker pull {{item}}:v{{origin_version}}" + with_items: "{{openshift_required_images}}" + delegate_to: compose-x86-01.phx2.fedoraproject.org + register: docker_pull_openshift_delegated + changed_when: "'Downloaded newer image' in docker_pull_openshift_delegated.stdout" + + - name: tag openshift required docker images for our registry + shell: "docker tag {{item}}:v{{origin_version}} {{docker_registry}}/{{item}}:v{{origin_version}}" + with_items: "{{openshift_required_images}}" + delegate_to: compose-x86-01.phx2.fedoraproject.org + when: docker_pull_openshift_delegated|changed + + - name: push openshift required docker images to our registry + shell: "docker push {{docker_registry}}/{{item}}:v{{origin_version}}" + with_items: "{{openshift_required_images}}" + delegate_to: compose-x86-01.phx2.fedoraproject.org + when: docker_pull_openshift_delegated|changed + + - name: Ensure koji dockerbuilder cert path exists + file: + path: "{{ koji_pki_dir }}" + state: "directory" + mode: 0400 + + - name: Add koji dockerbuilder cert for Content Generator import + copy: + src: "{{private}}/files/koji/containerbuild.pem" + dest: "{{ koji_cert_path }}" + notify: oc secrets new + + - name: Add koji dockerbuilder ca cert for Content Generator import + copy: + src: "{{private}}/files/koji/buildercerts/fedora-ca.cert" + dest: "{{ koji_ca_cert_path }}" + notify: oc secrets new + + - name: create fedora image stream for OpenShift + shell: "echo '{ \"apiVersion\": \"v1\", \"kind\": \"ImageStream\", \"metadata\": { \"name\": \"fedora\" }, \"spec\": { \"dockerImageRepository\": \"{{docker_registry}}/fedora\" } }' | oc create -f - && touch /etc/origin/fedoraimagestreamcreated" + environment: "{{ osbs_environment }}" + args: + creates: /etc/origin/fedoraimagestreamcreated + delegate_to: osbs-masters-stg[0] + + - name: set policy for koji builder in openshift for osbs + shell: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_stg_username }} && touch /etc/origin/koji-builder-policy-added" + args: + creates: "/etc/origin/koji-builder-policy-added" + when: env == "staging" + + - name: set policy for koji builder in openshift for osbs + shell: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_prod_username }} && touch /etc/origin/koji-builder-policy-added" + args: + creates: "/etc/origin/koji-builder-policy-added" + when: env == "production" + + - name: set policy for koji builder in openshift for atomic-reactor + shell: "oadm policy add-role-to-user -n default edit system:serviceaccount:default:builder && touch /etc/origin/atomic-reactor-policy-added" + args: + creates: "/etc/origin/atomic-reactor-policy-added" + + - name: Create buildroot container conf directory + file: + path: "/etc/osbs/buildroot/" + state: directory + + - name: Upload Dockerfile for buildroot container + copy: + src: "{{ files }}/osbs/buildroot-Dockerfile-{{env}}" + dest: "/etc/osbs/buildroot/Dockerfile" + mode: 0400 + notify: + - buildroot container + + - name: Upload internal CA for buildroot + copy: + src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem" + dest: "/etc/osbs/buildroot/ca.crt" + mode: 0400 + notify: + - buildroot container + + - name: stat /usr/share/atomic-reactor/atomic-reactor.tar.gz + stat: + path: /usr/share/atomic-reactor/atomic-reactor.tar.gz + register: usr_ar_stat + + - name: stat /etc/osbs/buildroot/atomic-reactor.tar.gz + stat: + path: /etc/osbs/buildroot/atomic-reactor.tar.gz + register: etc_ar_stat + + - name: remove old hardlink to /etc/osbs/buildroot/atomic-reactor.tar.gz + file: + path: /etc/osbs/buildroot/atomic-reactor.tar.gz + state: absent + when: etc_ar_stat.stat.exists and usr_ar_stat.stat.checksum != etc_ar_stat.stat.checksum + + - name: Hardlink atomic-reactor source for buildroot container (because Docker) + file: + src: /usr/share/atomic-reactor/atomic-reactor.tar.gz + dest: /etc/osbs/buildroot/atomic-reactor.tar.gz + state: hard + notify: + - buildroot container + when: etc_ar_stat.stat.exists and usr_ar_stat.stat.checksum != etc_ar_stat.stat.checksum + + - name: pull fedora required docker images + shell: "docker pull {{docker_registry}}/{{item}}" + with_items: "{{fedora_required_images}}" + register: docker_pull_fedora + changed_when: "'Downloaded newer image' in docker_pull_fedora.stdout" + + - name: pull openshift required docker images + shell: "docker pull {{docker_registry}}/{{item}}:v{{origin_version}}" + with_items: "{{openshift_required_images}}" + register: docker_pull_openshift + changed_when: "'Downloaded newer image' in docker_pull_openshift.stdout" + + - name: tag openshift required docker images locally + shell: "docker tag {{docker_registry}}/{{item}}:v{{origin_version}} {{item}}:v{{origin_version}}" + with_items: "{{openshift_required_images}}" + when: docker_pull_openshift|changed + + - name: refresh fedora image streams + shell: "oc import-image fedora --all" + when: docker_pull_fedora|changed diff --git a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 index 265aa90866..97f2fb7789 100644 --- a/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 +++ b/roles/ansible-ansible-openshift-ansible/templates/cluster-inventory.j2 @@ -8,8 +8,9 @@ lb ansible_ssh_user=root debug_level=2 deployment_type=origin -openshift_release={{openshift_release }} -openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '/etc/origin/master/htpasswd'}] +openshift_release={{ openshift_release }} +openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '{{ openshift_htpasswd_file }}'}] +openshift_master_public_api_url={{ openshift_master_public_api_url }} [masters] {% for host in groups[openshift_cluster_masters_group] %}