diff --git a/playbooks/groups/osbs.yml b/playbooks/groups/osbs.yml index 4c5fedc5c5..b8da6c0d99 100644 --- a/playbooks/groups/osbs.yml +++ b/playbooks/groups/osbs.yml @@ -43,3 +43,16 @@ handlers: - include: "{{ handlers }}/restart_services.yml" + +- name: apply common osbs configuration + hosts: osbs-stg + roles: + - osbs_common + +- name: set up openshift build hosts + hosts: osbs-stg + roles: + - osbs_install_openshift_copr + + # change behind_auth_proxy to true when using kerberos proxy + - { role: osbs_builder, behind_auth_proxy: false } diff --git a/roles/osbs_builder/defaults/main.yml b/roles/osbs_builder/defaults/main.yml new file mode 100644 index 0000000000..735d2c61b1 --- /dev/null +++ b/roles/osbs_builder/defaults/main.yml @@ -0,0 +1,38 @@ +--- +# OSBS expects the build image to be named buildroot +buildroot_tag: buildroot + +# create build image from source or pull it from a registry? +# see options below +buildroot_from_source: true + +## for build_buildroot_from_source=false +buildroot_pull: + registry: registry.hub.docker.com + registry_insecure: false + image: mmilata/buildroot:latest + +## for build_buildroot_from_source=true +buildroot_build: + # buildroot base image source + base_registry: registry.hub.docker.com + base_registry_insecure: false + base_image: library/fedora:latest + # allow retagging the base image to match FROM in Dockerfile + base_image_retag: fedora:latest + # buildroot dockerfile source + git_url: https://github.com/mmilata/osbs-buildroot-osv3.git + git_branch: master + git_subdir: "" + git_local_path: "{{ ansible_env.HOME }}/osbs-buildroot-docker" + +## docker needs to know which registries are insecure +insecure_registries: [] + +# is authenticating proxy in front of us? if true, do not expose openshift port +# and require users to be authenticated +# set to false for debugging +behind_auth_proxy: true + +# set to false if you don't use firewalld or do not want the playbook to modify it +manage_firewall: true diff --git a/roles/osbs_builder/files/sysconfig-openshift-master b/roles/osbs_builder/files/sysconfig-openshift-master new file mode 100644 index 0000000000..7cec9508c6 --- /dev/null +++ b/roles/osbs_builder/files/sysconfig-openshift-master @@ -0,0 +1,9 @@ +OPTIONS="--loglevel=3" +CONFIG_FILE=/etc/openshift/master/master-config.yaml + +# Proxy configuration +# OpenShift uses standard HTTP_PROXY environment variables. Be sure to set +# NO_PROXY for your master +#NO_PROXY=master.example.com +#HTTP_PROXY=http://USER:PASSWORD@IPADDR:PORT +#HTTPS_PROXY=https://USER:PASSWORD@IPADDR:PORT diff --git a/roles/osbs_builder/files/sysconfig-openshift-node b/roles/osbs_builder/files/sysconfig-openshift-node new file mode 100644 index 0000000000..61b10bbaed --- /dev/null +++ b/roles/osbs_builder/files/sysconfig-openshift-node @@ -0,0 +1,22 @@ +OPTIONS="--loglevel=3" +# /etc/openshift/node/ should contain the entire contents of +# /var/lib/openshift.local.certificates/node-${node-fqdn} generated by +# running 'openshift admin create-node-config' on your master +# +# If if your node is running on a separate host you can rsync the contents +# rsync -a root@openshift-master:/var/lib/openshift/openshift.local.certificates/node-`hostname`/ /etc/openshift/node +CONFIG_FILE=/etc/openshift/node/node-config.yaml + +# The $DOCKER_NETWORK_OPTIONS variable is used by sdn plugins to set +# $DOCKER_NETWORK_OPTIONS variable in the /etc/sysconfig/docker-network +# Most plugins include their own defaults within the scripts +# TODO: More elegant solution like this +# https://github.com/coreos/flannel/blob/master/dist/mk-docker-opts.sh +# DOCKER_NETWORK_OPTIONS='-b=lbr0 --mtu=1450' + +# Proxy configuration +# OpenShift uses standard HTTP_PROXY environment variables. Be sure to set +# NO_PROXY for your master +#NO_PROXY=master.example.com +#HTTP_PROXY=http://USER:PASSWORD@IPADDR:PORT +#HTTPS_PROXY=https://USER:PASSWORD@IPADDR:PORT diff --git a/roles/osbs_builder/tasks/buildroot_from_source.yml b/roles/osbs_builder/tasks/buildroot_from_source.yml new file mode 100644 index 0000000000..0ea4501c7d --- /dev/null +++ b/roles/osbs_builder/tasks/buildroot_from_source.yml @@ -0,0 +1,19 @@ +--- +- name: pull buildroot base image + command: docker pull {{ buildroot_build.base_registry }}/{{ buildroot_build.base_image }} + +- name: tag buildroot base image + command: docker tag -f {{ buildroot_build.base_registry }}/{{ buildroot_build.base_image }} {{ buildroot_build.base_image_retag }} + when: buildroot_base_image_retag is defined + +- name: pull build image git repository + git: + repo: "{{ buildroot_build.git_url }}" + dest: "{{ buildroot_build.git_local_path }}" + version: "{{ buildroot_build.git_branch }}" + accept_hostkey: yes + register: buildroot_git_repo + +- name: build buildroot + command: docker build --no-cache=true --tag={{ buildroot_tag }} {{ buildroot_build.git_local_path }}/{{ buildroot_build.git_subdir }} + when: buildroot_git_repo.changed diff --git a/roles/osbs_builder/tasks/main.yml b/roles/osbs_builder/tasks/main.yml new file mode 100644 index 0000000000..0e173c0b5b --- /dev/null +++ b/roles/osbs_builder/tasks/main.yml @@ -0,0 +1,139 @@ +--- +- name: install packages required by osbs + yum: name={{ item }} state=installed + with_items: + - bind-utils + - iptables-services + - bridge-utils + - dock + - docker + - docker-registry + +### docker service ### + +- name: ensure docker is running + service: name=docker state=started enabled=yes + +- name: configure docker + template: src=sysconfig-docker.j2 dest=/etc/sysconfig/docker + register: docker_sysconfig + +- name: restart docker after changing configuration + service: name=docker state=restarted + when: docker_sysconfig.changed + +### openshift service ### + +# Permanent rules aren't applied immediately. Starting with ansible 1.9, +# these two rules can be merged into one with permanent=true immediate=true. +- name: open openshift port in the firewall + firewalld: port={{ openshift_port }}/tcp state=enabled permanent={{ item }} + with_items: + - true + - false + when: not behind_auth_proxy and manage_firewall + +- name: close openshift port in the firewall + firewalld: port={{ openshift_port }}/tcp state=disabled permanent={{ item }} + with_items: + - true + - false + when: behind_auth_proxy and manage_firewall + +- name: modifications in /etc/sysconfig/openshift + copy: src=sysconfig-openshift-{{ item }} dest=/etc/sysconfig/openshift-{{ item }} + with_items: + - master + - node + +- name: generate basic openshift configuration and certificates + command: openshift start --write-config=/etc/openshift + args: + chdir: "{{ openshift_home }}" + creates: /etc/openshift/node-{{ ansible_fqdn }}/node-config.yaml + +- name: link /etc/openshift/node to actual node directory + file: path=/etc/openshift/node src=/etc/openshift/node-{{ ansible_fqdn }} force=yes state=link + +- name: configure openshift master + template: src=master.yaml.j2 dest=/etc/openshift/master/master-config.yaml + register: openshift_master_config + +- name: configure openshift node + template: src=node.yaml.j2 dest=/etc/openshift/node/node-config.yaml + register: openshift_node_config + +- name: generate cert for authenticating proxy - self-signed certificate + command: > + openssl req -new -nodes -x509 + -subj "/C=CZ/ST=SelfSigned/L=SelfSigned/O=IT/CN={{ ansible_fqdn }}" + -days 3650 + -keyout {{ proxy_auth_key_file }} + -out {{ proxy_auth_cert_file }} + -extensions v3_ca + args: + creates: "{{ proxy_auth_cert_file }}" + when: behind_auth_proxy and proxy_auth_generate_selfsigned + register: auth_proxy_cert + +- name: generate cert for authenticating proxy - convert privkey to rsa + command: openssl rsa -in {{ proxy_auth_key_file }} -out {{ proxy_auth_key_file }} + when: auth_proxy_cert.changed + +- name: restart openshift master after changing configuration + service: name=openshift-master state=restarted + when: openshift_master_config.changed + +- name: restart openshift node after changing configuration + service: name=openshift-node state=restarted + when: openshift_node_config.changed + +- name: ensure openshift is running + service: name=openshift-{{ item }} state=started enabled=yes + with_items: + - master + - node + +- name: wait for openshift to start accepting connections + wait_for: port={{ openshift_port }} timeout=30 + +# Set up authorization policy. If we are behind proxy then assign authenticated +# users the "edit" role which can start builds and watch build logs. +# If we are not (=debug), add both authenticated and unauthenticated users to +# the role. +- name: openshift auth - clear + command: osadm policy remove-role-from-group edit system:authenticated system:unauthenticated + environment: osc_environment + register: command_result + failed_when: command_result.rc != 0 and "unable to locate RoleBinding" not in command_result.stderr + +- name: openshift auth - make everyone cluster admin + command: osadm policy add-role-to-group edit system:unauthenticated system:authenticated + environment: osc_environment + when: not behind_auth_proxy + +- name: openshift auth - authenticated users are cluster admins + command: osadm policy add-role-to-group edit system:authenticated + environment: osc_environment + when: behind_auth_proxy + +# Useful when using "osc" to inspect openshift state. +- name: add OPENSHIFTCONFIG to .bashrc + lineinfile: + dest: "{{ ansible_env.HOME }}/.bashrc" + regexp: "export OPENSHIFTCONFIG=" + line: "export OPENSHIFTCONFIG={{ kubeconfig_path }}" + +### buildroot image ### + +- name: pull buildroot image + command: docker pull {{ buildroot_pull.registry }}/{{ buildroot_pull.image }} + register: pull_buildroot + when: not buildroot_from_source + +- name: tag buildroot image + command: docker tag -f {{ buildroot_pull.registry }}/{{ buildroot_pull.image }} {{ buildroot_tag }} + when: pull_buildroot.changed + +- include: buildroot_from_source.yml + when: buildroot_from_source diff --git a/roles/osbs_builder/templates/master.yaml.j2 b/roles/osbs_builder/templates/master.yaml.j2 new file mode 100644 index 0000000000..f8f25cc394 --- /dev/null +++ b/roles/osbs_builder/templates/master.yaml.j2 @@ -0,0 +1,127 @@ +apiLevels: +- v1beta3 +- v1beta1 +- v1 +apiVersion: v1 +assetConfig: + logoutURL: "" + masterPublicURL: https://{{ ansible_default_ipv4.address }}:8443 + publicURL: https://{{ ansible_default_ipv4.address }}:8443/console/ + servingInfo: + bindAddress: 0.0.0.0:8443 + certFile: master.server.crt + clientCA: "" + keyFile: master.server.key +corsAllowedOrigins: +- 127.0.0.1 +- {{ ansible_default_ipv4.address }}:8443 +- localhost +dnsConfig: + bindAddress: 0.0.0.0:53 +etcdClientInfo: + ca: ca.crt + certFile: master.etcd-client.crt + keyFile: master.etcd-client.key + urls: + - https://{{ ansible_default_ipv4.address }}:4001 +etcdConfig: + address: {{ ansible_default_ipv4.address }}:4001 + peerAddress: {{ ansible_default_ipv4.address }}:7001 + peerServingInfo: + bindAddress: 0.0.0.0:7001 + certFile: etcd.server.crt + clientCA: ca.crt + keyFile: etcd.server.key + servingInfo: + bindAddress: 0.0.0.0:4001 + certFile: etcd.server.crt + clientCA: ca.crt + keyFile: etcd.server.key + storageDirectory: /var/lib/openshift/openshift.local.etcd +etcdStorageConfig: + kubernetesStoragePrefix: kubernetes.io + kubernetesStorageVersion: v1beta3 + openShiftStoragePrefix: openshift.io + openShiftStorageVersion: v1beta3 +imageConfig: + format: openshift/origin-${component}:${version} + latest: false +kind: MasterConfig +kubeletClientInfo: + ca: ca.crt + certFile: master.kubelet-client.crt + keyFile: master.kubelet-client.key + port: 10250 +kubernetesMasterConfig: + apiLevels: + - v1beta1 + - v1beta2 + - v1beta3 + - v1 + masterCount: 1 + masterIP: {{ ansible_default_ipv4.address }} + podEvictionTimeout: 5m + schedulerConfigFile: "" + servicesSubnet: 172.30.0.0/16 + staticNodeNames: + - {{ ansible_fqdn }} +masterClients: + deployerKubeConfig: openshift-deployer.kubeconfig + externalKubernetesKubeConfig: "" + openshiftLoopbackKubeConfig: openshift-client.kubeconfig +masterPublicURL: https://{{ ansible_default_ipv4.address }}:8443 +networkConfig: + clusterNetworkCIDR: 10.1.0.0/16 + hostSubnetLength: 8 + networkPluginName: "" +oauthConfig: + assetPublicURL: https://{{ ansible_default_ipv4.address }}:8443/console/ + grantConfig: + method: auto + identityProviders: +{% if behind_auth_proxy %} + - name: my_request_header_provider + challenge: false + login: false + provider: + apiVersion: v1 + kind: RequestHeaderIdentityProvider + clientCA: {{ proxy_auth_ca_file | default('/etc/openshift/master/ca.crt') }} + headers: + - X-Remote-User +{% else %} + - challenge: true + login: true + name: anypassword + provider: + apiVersion: v1 + kind: AllowAllPasswordIdentityProvider +{% endif %} + masterPublicURL: https://{{ ansible_default_ipv4.address }}:8443 + masterURL: https://{{ ansible_default_ipv4.address }}:8443 + sessionConfig: + sessionMaxAgeSeconds: 300 + sessionName: ssn + sessionSecretsFile: "" + tokenConfig: + accessTokenMaxAgeSeconds: 86400 + authorizeTokenMaxAgeSeconds: 300 +policyConfig: + bootstrapPolicyFile: policy.json + openshiftSharedResourcesNamespace: openshift +projectConfig: + defaultNodeSelector: "" + projectRequestMessage: "" + projectRequestTemplate: "" +serviceAccountConfig: + managedNames: + - default + - builder + privateKeyFile: serviceaccounts.private.key + publicKeyFiles: + - serviceaccounts.public.key +servingInfo: + bindAddress: 0.0.0.0:8443 + certFile: master.server.crt + clientCA: ca.crt + keyFile: master.server.key diff --git a/roles/osbs_builder/templates/node.yaml.j2 b/roles/osbs_builder/templates/node.yaml.j2 new file mode 100644 index 0000000000..59913bd024 --- /dev/null +++ b/roles/osbs_builder/templates/node.yaml.j2 @@ -0,0 +1,20 @@ +allowDisabledDocker: true +apiVersion: v1 +dnsDomain: cluster.local +dnsIP: {{ ansible_default_ipv4.address }} +dockerConfig: + execHandlerName: native +imageConfig: + format: openshift/origin-${component}:${version} + latest: false +kind: NodeConfig +masterKubeConfig: node.kubeconfig +networkPluginName: "" +nodeName: {{ ansible_fqdn }} +podManifestConfig: null +servingInfo: + bindAddress: 0.0.0.0:10250 + certFile: server.crt + clientCA: node-client-ca.crt + keyFile: server.key +volumeDirectory: /var/lib/openshift/openshift.local.volumes diff --git a/roles/osbs_builder/templates/sysconfig-docker.j2 b/roles/osbs_builder/templates/sysconfig-docker.j2 new file mode 100644 index 0000000000..5350f59199 --- /dev/null +++ b/roles/osbs_builder/templates/sysconfig-docker.j2 @@ -0,0 +1,32 @@ +# Modify these options if you want to change the way the docker daemon runs +OPTIONS='--selinux-enabled' + +DOCKER_CERT_PATH=/etc/docker + +# If you want to add your own registry to be used for docker search and docker pull use the +# ADD_REGISTRY option to list a set of comma separated registries. +# Note the last registry added will be the first regisry searched. +ADD_REGISTRY='--add-registry registry.access.redhat.com' + +# If you want to block registries from being used, use the +# BLOCK_REGISTRY option to list a set of comma separated registries, and uncommenting +# it. For example adding docker.io will stop users from downloading images from docker.io +# BLOCK_REGISTRY='--block-registry public' + +# If you have a registry secured with https but do not have proper certs destributed, you can +# tell docker to not look for full authorization by adding the registry to the +# INSECURE_REGISTRY line and uncommentin it. +INSECURE_REGISTRY='{% if buildroot_build.base_registry_insecure %}--insecure-registry {{ buildroot_build.base_registry }}{% elif buildroot_pull.registry_insecure %}--insecure--registry {{ buildroot_pull.registry }}{% endif %}{% for r in insecure_registries %} --insecure-registry {{ r }}{% endfor %}' + +# On an SELinux system, if you remove the --selinux-enabled option, you +# also need to turn on the docker_transition_unconfined boolean. +# setsebool -P docker_transition_unconfined 1 + +# Location used for temporary files, such as those created by +# docker load and build operations. Default is /var/lib/docker/tmp +# Can be overriden by setting the following environment variable. +# DOCKER_TMPDIR=/var/tmp + +# Controls the /etc/cron.daily/docker-logrotate cron job status. +# To disable, uncomment the line below. +# LOGROTATE=false diff --git a/roles/osbs_builder/vars/main.yml b/roles/osbs_builder/vars/main.yml new file mode 100644 index 0000000000..e30ffdc05a --- /dev/null +++ b/roles/osbs_builder/vars/main.yml @@ -0,0 +1,7 @@ +--- +openshift_home: /var/lib/openshift +kubeconfig_path: /etc/openshift/master/admin.kubeconfig +openshift_port: 8443 + +osc_environment: + OPENSHIFTCONFIG: "{{ kubeconfig_path }}" diff --git a/roles/osbs_common/defaults/main.yml b/roles/osbs_common/defaults/main.yml new file mode 100644 index 0000000000..8cf99a7a60 --- /dev/null +++ b/roles/osbs_common/defaults/main.yml @@ -0,0 +1,6 @@ +--- +# set hostname of the machine +#hostname: example.org + +# set to false if you don't use firewalld or do not want the playbook to modify it +manage_firewall: true diff --git a/roles/osbs_common/tasks/main.yml b/roles/osbs_common/tasks/main.yml new file mode 100644 index 0000000000..299433bb30 --- /dev/null +++ b/roles/osbs_common/tasks/main.yml @@ -0,0 +1,34 @@ +--- +- name: set hostname + hostname: name={{ hostname }} + when: hostname is defined + +- name: install basic packages + yum: name={{ item }} state=installed + with_items: + - vim + - tmux + - wget + - git + - net-tools + - yum-utils + - tree + +- name: enable rhel7 repos + command: yum-config-manager --enable {{ item }} + with_items: + - rhel-7-server-optional-rpms + - rhel-7-server-extras-rpms + when: ansible_distribution == 'RedHat' and ansible_distribution_major_version == '7' + +- name: enable epel7 + yum: name={{ epel7_url }} state=installed + when: ansible_os_family == 'RedHat' and ansible_distribution_major_version == '7' + +- name: install firewalld + yum: name=firewalld state=installed + when: manage_firewall + +- name: enable firewalld + service: name=firewalld state=started enabled=yes + when: manage_firewall diff --git a/roles/osbs_common/vars/main.yml b/roles/osbs_common/vars/main.yml new file mode 100644 index 0000000000..948958a46b --- /dev/null +++ b/roles/osbs_common/vars/main.yml @@ -0,0 +1,2 @@ +--- +epel7_url: http://download.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm diff --git a/roles/osbs_install_openshift_copr/defaults/main.yml b/roles/osbs_install_openshift_copr/defaults/main.yml new file mode 100644 index 0000000000..e003ba6fee --- /dev/null +++ b/roles/osbs_install_openshift_copr/defaults/main.yml @@ -0,0 +1,2 @@ +--- +openshift_version: 0.5.4 diff --git a/roles/osbs_install_openshift_copr/tasks/main.yml b/roles/osbs_install_openshift_copr/tasks/main.yml new file mode 100644 index 0000000000..67c33db76d --- /dev/null +++ b/roles/osbs_install_openshift_copr/tasks/main.yml @@ -0,0 +1,9 @@ +--- +- name: copy repository file + template: src=mmilata-openshift.repo.j2 dest=/etc/yum.repos.d/mmilata-openshift.repo + +- name: install openshift + yum: name={{ item }} state=installed + with_items: + - openshift-master + - openshift-node diff --git a/roles/osbs_install_openshift_copr/templates/mmilata-openshift.repo.j2 b/roles/osbs_install_openshift_copr/templates/mmilata-openshift.repo.j2 new file mode 100644 index 0000000000..a74f694658 --- /dev/null +++ b/roles/osbs_install_openshift_copr/templates/mmilata-openshift.repo.j2 @@ -0,0 +1,8 @@ +[mmilata-openshift] +name=Copr repo for openshift owned by mmilata +baseurl=https://copr-be.cloud.fedoraproject.org/results/mmilata/openshift/{{ (ansible_distribution == "Fedora") | ternary("fedora", "epel") }}-{{ ansible_distribution_major_version }}-$basearch/ +skip_if_unavailable=True +gpgcheck=1 +gpgkey=https://copr-be.cloud.fedoraproject.org/results/mmilata/openshift/pubkey.gpg +enabled=1 + diff --git a/roles/osbs_install_openshift_source/defaults/main.yml b/roles/osbs_install_openshift_source/defaults/main.yml new file mode 100644 index 0000000000..413f0b471e --- /dev/null +++ b/roles/osbs_install_openshift_source/defaults/main.yml @@ -0,0 +1,5 @@ +--- +rpmbuild_dir: "{{ ansible_env.HOME }}/rpmbuild" +openshift_commit: 17a2e840914a9e2b0c2161e9f39efc22a043dec9 +openshift_archive: openshift-{{ openshift_commit }}.tar.gz +openshift_version: 0.5.2 diff --git a/roles/osbs_install_openshift_source/tasks/main.yml b/roles/osbs_install_openshift_source/tasks/main.yml new file mode 100644 index 0000000000..9262c836f0 --- /dev/null +++ b/roles/osbs_install_openshift_source/tasks/main.yml @@ -0,0 +1,42 @@ +--- +- name: install build packages + yum: name={{ item }} state=installed + with_items: + - rpm-build + - yum-utils + - rpmdevtools + +- name: delete rpmbuild directories + file: path={{ rpmbuild_dir }}/{{ item }}/ state=absent + with_items: + - RPMS + - SRPMS + - BUILD + - BUILDROOT + +- name: create rpmbuild directories + file: path={{ rpmbuild_dir }}/{{ item }}/ state=directory recurse=yes + with_items: + - SPECS + - SOURCES + +- name: upload SPEC + template: src=openshift.spec.j2 dest={{ rpmbuild_dir }}/SPECS/openshift.spec + +- name: install build dependencies + command: yum-builddep -y {{ rpmbuild_dir }}/SPECS/openshift.spec + +- name: download openshift tarball + get_url: + url: https://github.com/openshift/origin/archive/{{ openshift_commit }}/{{ openshift_archive }} + dest: "{{ rpmbuild_dir }}/SOURCES/{{ openshift_archive }}" + +- name: run build + command: rpmbuild -bb --clean {{ rpmbuild_dir }}/SPECS/openshift.spec + +- name: find the RPMs + command: find {{ rpmbuild_dir }}/RPMS/ -type f + register: find_rpms + +- name: install the RPMs + shell: yum -y localinstall {{ rpmbuild_dir }}/RPMS/x86_64/*openshift*.rpm diff --git a/roles/osbs_install_openshift_source/templates/openshift.spec.j2 b/roles/osbs_install_openshift_source/templates/openshift.spec.j2 new file mode 100644 index 0000000000..d6e15bd934 --- /dev/null +++ b/roles/osbs_install_openshift_source/templates/openshift.spec.j2 @@ -0,0 +1,295 @@ +#debuginfo not supported with Go +%global debug_package %{nil} +%global gopath %{_datadir}/gocode +%global import_path github.com/openshift/origin +%global kube_plugin_path /usr/libexec/kubernetes/kubelet-plugins/net/exec/redhat~openshift-ovs-subnet +%global sdn_import_path github.com/openshift/openshift-sdn + +# %commit and %ldflags are intended to be set by tito custom builders provided +# in the rel-eng directory. The values in this spec file will not be kept up to date. +%{!?commit: +%global commit {{ openshift_commit }} +} +%global shortcommit %(c=%{commit}; echo ${c:0:7}) +# OpenShift specific ldflags from hack/common.sh os::build:ldflags +%{!?ldflags: +%global ldflags -X github.com/openshift/origin/pkg/version.majorFromGit 0 -X github.com/openshift/origin/pkg/version.minorFromGit 0+ -X github.com/openshift/origin/pkg/version.versionFromGit v{{ openshift_version }} -X github.com/openshift/origin/pkg/version.commitFromGit {{ openshift_commit | truncate(7, True, '') }} -X github.com/GoogleCloudPlatform/kubernetes/pkg/version.gitCommit 6241a21 -X github.com/GoogleCloudPlatform/kubernetes/pkg/version.gitVersion v0.11.0-330-g6241a21 +} + +Name: openshift +# Version is not kept up to date and is intended to be set by tito custom +# builders provided in the rel-eng directory of this project +Version: {{ openshift_version }} +Release: 0%{?dist} +Summary: Open Source Platform as a Service by Red Hat +License: ASL 2.0 +URL: https://%{import_path} +ExclusiveArch: x86_64 +Source0: https://%{import_path}/archive/%{commit}/%{name}-%{commit}.tar.gz + +BuildRequires: systemd +BuildRequires: golang >= 1.2-7 +#XXX upstream has golang >= 1.4 but it's not in rhel7 (yet) + + +%description +%{summary} + +%package master +Summary: OpenShift Master +Requires: %{name} = %{version}-%{release} +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd + +%description master +%{summary} + +%package node +Summary: OpenShift Node +Requires: %{name} = %{version}-%{release} +Requires: docker-io >= 1.6.0 +Requires: tuned-profiles-openshift-node +Requires: util-linux +Requires: socat +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd + +%description node +%{summary} + +%package -n tuned-profiles-openshift-node +Summary: Tuned profiles for OpenShift Node hosts +Requires: tuned >= 2.3 +Requires: %{name} = %{version}-%{release} + +%description -n tuned-profiles-openshift-node +%{summary} + +%package clients +Summary: Openshift Client binaries for Linux, Mac OSX, and Windows +BuildRequires: golang-pkg-darwin-amd64 +BuildRequires: golang-pkg-windows-386 + +%description clients +%{summary} + +%package dockerregistry +Summary: Docker Registry v2 for OpenShift +Requires: %{name} = %{version}-%{release} + +%description dockerregistry +%{summary} + +%package pod +Summary: OpenShift Pod +Requires: openshift = %{version}-%{release} + +%description pod +%{summary} + +%prep +%setup -qn origin-%{commit} + +%build + +# Don't judge me for this ... it's so bad. +mkdir _build + +# Horrid hack because golang loves to just bundle everything +pushd _build + mkdir -p src/github.com/openshift + ln -s $(dirs +1 -l) src/%{import_path} +popd + + +# Gaming the GOPATH to include the third party bundled libs at build +# time. This is bad and I feel bad. +mkdir _thirdpartyhacks +pushd _thirdpartyhacks + ln -s \ + $(dirs +1 -l)/Godeps/_workspace/src/ \ + src +popd +export GOPATH=$(pwd)/_build:$(pwd)/_thirdpartyhacks:%{buildroot}%{gopath}:%{gopath} +# Build all linux components we care about +for cmd in openshift dockerregistry +do + go install -ldflags "%{ldflags}" %{import_path}/cmd/${cmd} +done + +# Build only 'openshift' for other platforms +GOOS=windows GOARCH=386 go install -ldflags "%{ldflags}" %{import_path}/cmd/openshift +GOOS=darwin GOARCH=amd64 go install -ldflags "%{ldflags}" %{import_path}/cmd/openshift + +#Build our pod +pushd images/pod/ + go build -ldflags "%{ldflags}" pod.go +popd + +%install + +install -d %{buildroot}%{_bindir} +install -d %{buildroot}%{_datadir}/%{name}/{linux,macosx,windows} + +# Install linux components +for bin in openshift dockerregistry +do + echo "+++ INSTALLING ${bin}" + install -p -m 755 _build/bin/${bin} %{buildroot}%{_bindir}/${bin} +done +# Install 'openshift' as client executable for windows and mac +install -p -m 755 _build/bin/openshift %{buildroot}%{_datadir}/%{name}/linux/osc +install -p -m 755 _build/bin/darwin_amd64/openshift %{buildroot}%{_datadir}/%{name}/macosx/osc +install -p -m 755 _build/bin/windows_386/openshift.exe %{buildroot}%{_datadir}/%{name}/windows/osc.exe +#Install openshift pod +install -p -m 755 images/pod/pod %{buildroot}%{_bindir}/ + +install -d -m 0755 %{buildroot}/etc/%{name}/{master,node} +install -d -m 0755 %{buildroot}%{_unitdir} +install -m 0644 -t %{buildroot}%{_unitdir} rel-eng/openshift-master.service +install -m 0644 -t %{buildroot}%{_unitdir} rel-eng/openshift-node.service + +mkdir -p %{buildroot}%{_sysconfdir}/sysconfig +install -m 0644 rel-eng/openshift-master.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/openshift-master +install -m 0644 rel-eng/openshift-node.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/openshift-node + +mkdir -p %{buildroot}%{_sharedstatedir}/%{name} + +ln -s %{_bindir}/openshift %{buildroot}%{_bindir}/osc +ln -s %{_bindir}/openshift %{buildroot}%{_bindir}/osadm + +install -d -m 0755 %{buildroot}%{_prefix}/lib/tuned/openshift-node-{guest,host} +install -m 0644 tuned/openshift-node-guest/tuned.conf %{buildroot}%{_prefix}/lib/tuned/openshift-node-guest/ +install -m 0644 tuned/openshift-node-host/tuned.conf %{buildroot}%{_prefix}/lib/tuned/openshift-node-host/ +install -d -m 0755 %{buildroot}%{_mandir}/man7 +install -m 0644 tuned/man/tuned-profiles-openshift-node.7 %{buildroot}%{_mandir}/man7/tuned-profiles-openshift-node.7 + +# Install sdn scripts for node subpackage +install -d -m 0755 %{buildroot}%{kube_plugin_path} +pushd _thirdpartyhacks/src/%{sdn_import_path}/ovssubnet/bin + install -p -m 755 openshift-ovs-subnet %{buildroot}%{kube_plugin_path}/openshift-ovs-subnet + install -p -m 755 openshift-sdn-kube-subnet-setup.sh %{buildroot}%{_bindir}/ + install -p -m 755 openshift-sdn-simple-setup-node.sh %{buildroot}%{_bindir}/ +popd + +%files +%defattr(-,root,root,-) +%doc README.md LICENSE +%{_bindir}/openshift +%{_bindir}/osc +%{_bindir}/osadm +%{_sharedstatedir}/%{name} + +%files master +%defattr(-,root,root,-) +%{_unitdir}/openshift-master.service +%config(noreplace) %{_sysconfdir}/sysconfig/openshift-master +%config(noreplace) /etc/%{name}/master + +%post master +%systemd_post %{basename:openshift-master.service} + +%preun master +%systemd_preun %{basename:openshift-master.service} + +%postun master +%systemd_postun + + +%files node +%defattr(-,root,root,-) +%{_unitdir}/openshift-node.service +%config(noreplace) %{_sysconfdir}/sysconfig/openshift-node +%config(noreplace) /etc/%{name}/node +%{_bindir}/openshift-sdn-simple-setup-node.sh +%{_bindir}/openshift-sdn-kube-subnet-setup.sh +%{kube_plugin_path}/openshift-ovs-subnet + +%post node +%systemd_post %{basename:openshift-node.service} + +%preun node +%systemd_preun %{basename:openshift-node.service} + +%postun node +%systemd_postun + +%files -n tuned-profiles-openshift-node +%defattr(-,root,root,-) +%{_prefix}/lib/tuned/openshift-node-host +%{_prefix}/lib/tuned/openshift-node-guest +%{_mandir}/man7/tuned-profiles-openshift-node.7* + +%post -n tuned-profiles-openshift-node +recommended=`/usr/sbin/tuned-adm recommend` +if [[ "${recommended}" =~ guest ]] ; then + /usr/sbin/tuned-adm profile openshift-node-guest > /dev/null 2>&1 +else + /usr/sbin/tuned-adm profile openshift-node-host > /dev/null 2>&1 +fi + +%preun -n tuned-profiles-openshift-node +# reset the tuned profile to the recommended profile +# $1 = 0 when we're being removed > 0 during upgrades +if [ "$1" = 0 ]; then + recommended=`/usr/sbin/tuned-adm recommend` + /usr/sbin/tuned-adm profile $recommended > /dev/null 2>&1 +fi + +%files clients +%{_datadir}/%{name}/linux/osc +%{_datadir}/%{name}/macosx/osc +%{_datadir}/%{name}/windows/osc.exe + +%files dockerregistry +%defattr(-,root,root,-) +%{_bindir}/dockerregistry + +%files pod +%defattr(-,root,root,-) +%{_bindir}/pod + +%changelog +* Mon Jan 26 2015 Scott Dodson 0.2-3 +- Update to 21fb40637c4e3507cca1fcab6c4d56b06950a149 +- Split packaging of openshift-master and openshift-node + +* Mon Jan 19 2015 Scott Dodson 0.2-2 +- new package built with tito + +* Fri Jan 09 2015 Adam Miller - 0.2-2 +- Add symlink for osc command line tooling (merged in from jhonce@redhat.com) + +* Wed Jan 07 2015 Adam Miller - 0.2-1 +- Update to latest upstream release +- Restructured some of the golang deps build setup for restructuring done + upstream + +* Thu Oct 23 2014 Adam Miller - 0-0.0.9.git562842e +- Add new patches from jhonce for systemd units + +* Mon Oct 20 2014 Adam Miller - 0-0.0.8.git562842e +- Update to latest master snapshot + +* Wed Oct 15 2014 Adam Miller - 0-0.0.7.git7872f0f +- Update to latest master snapshot + +* Fri Oct 03 2014 Adam Miller - 0-0.0.6.gite4d4ecf +- Update to latest Alpha nightly build tag 20141003 + +* Wed Oct 01 2014 Adam Miller - 0-0.0.5.git6d9f1a9 +- Switch to consistent naming, patch by jhonce + +* Tue Sep 30 2014 Adam Miller - 0-0.0.4.git6d9f1a9 +- Add systemd and sysconfig entries from jhonce + +* Tue Sep 23 2014 Adam Miller - 0-0.0.3.git6d9f1a9 +- Update to latest upstream. + +* Mon Sep 15 2014 Adam Miller - 0-0.0.2.git2647df5 +- Update to latest upstream. + +* Thu Aug 14 2014 Adam Miller - 0-0.0.1.gitc3839b8 +- First package diff --git a/roles/osbs_kerberos_proxy/defaults/main.yml b/roles/osbs_kerberos_proxy/defaults/main.yml new file mode 100644 index 0000000000..2fc87c3dcc --- /dev/null +++ b/roles/osbs_kerberos_proxy/defaults/main.yml @@ -0,0 +1,43 @@ +--- +# generate self-signed certificates? useful for debugging +ssl_generate_selfsigned: false + +ssl_cert_file: /etc/pki/tls/certs/{{ ansible_fqdn }}.crt +ssl_key_file: /etc/pki/tls/private/{{ ansible_fqdn }}.key +ssl_client_certkey_file: /etc/httpd/krbproxy_certkey.crt +ssl_client_ca_file: /etc/httpd/krbproxy_ca.crt + +proxy_port: 9443 +proxy_dest_url: https://127.0.0.1:8443/ +proxy_authname: Kerberos Authentication + +# used for mutually authenticating the proxy and the proxied machine +# no authentication happens when unset +#proxy_machine_ca_file: /var/lib/openshift/openshift.local.certificates/ca/cert.crt +#proxy_machine_cert_file: /var/lib/openshift/openshift.local.certificates/openshift-client/cert.crt +#proxy_machine_key_file: /var/lib/openshift/openshift.local.certificates/openshift-client/key.key + +# if no ticket is supplied, fall back to basic authentication by login+password +# (through kerberos) +proxy_enable_password_login: false + +proxy_secrets_owner: apache +proxy_secrets_group: root +proxy_secrets_perms: "0600" + +krb_keytab_file: /etc/httpd/HTTP-{{ ansible_fqdn }}.keytab + +kerberos_client_realm_name: EXAMPLE.COM +kerberos_client_kdc_hostname: kerberos +kerberos_client_admin_hostname: kerberos +kerberos_client_dns_lookup_realm: false +kerberos_client_dns_lookup_kdc: false +kerberos_client_ticket_lifetime: 24h +kerberos_client_renew_lifetime: 7d +kerberos_client_forwardable: true + +# extra verbose httpd logs? +proxy_debug: false + +# set to false if you don't use firewalld or do not want the playbook to modify it +manage_firewall: true diff --git a/roles/osbs_kerberos_proxy/handlers/main.yml b/roles/osbs_kerberos_proxy/handlers/main.yml new file mode 100644 index 0000000000..e379288d84 --- /dev/null +++ b/roles/osbs_kerberos_proxy/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: restart httpd + service: name=httpd state=restarted diff --git a/roles/osbs_kerberos_proxy/tasks/main.yml b/roles/osbs_kerberos_proxy/tasks/main.yml new file mode 100644 index 0000000000..6343ee07d1 --- /dev/null +++ b/roles/osbs_kerberos_proxy/tasks/main.yml @@ -0,0 +1,89 @@ +--- +- name: ensure required packages are installed + yum: name={{ item }} state=present + with_items: + # kerberos + - krb5-workstation + # httpd + - httpd + - mod_ssl + - mod_auth_kerb + # selinux + - policycoreutils-python + +# Based on https://github.com/bennojoy/kerberos_client +# BSD licensed +- name: configure kerberos client + template: src=krb5.conf.j2 dest=/etc/krb5.conf + +- name: generate self-signed certificate + command: > + openssl req -new -nodes -x509 + -subj "/C=CZ/ST=SelfSigned/L=SelfSigned/O=IT/CN={{ ansible_fqdn }}" + -days 3650 + -keyout {{ ssl_key_file }} + -out {{ ssl_cert_file }} + -extensions v3_ca + args: + creates: "{{ ssl_cert_file }}" + when: ssl_generate_selfsigned + notify: + - restart httpd + +# TODO: The private key is world readable after it is generated but before this task finishes. +# We should use umask/private directory to protect it. +- name: set permissions on private key + file: + path: "{{ ssl_key_file }}" + state: file + owner: "{{ proxy_secrets_owner }}" + group: "{{ proxy_secrets_group }}" + mode: "{{ proxy_secrets_perms }}" + +- name: create proxy client cert+key file + shell: cat {{ proxy_machine_cert_file }} {{ proxy_machine_key_file}} > {{ ssl_client_certkey_file }} + when: proxy_machine_cert_file is defined + register: certkey_file + notify: + - restart httpd + +- name: set permissions on client cert+key + file: + path: "{{ ssl_client_certkey_file }}" + state: file + owner: "{{ proxy_secrets_owner }}" + group: "{{ proxy_secrets_group }}" + mode: "{{ proxy_secrets_perms }}" + when: certkey_file.changed + +- name: copy client CA file + command: cp {{ proxy_machine_ca_file }} {{ ssl_client_ca_file }} + when: proxy_machine_ca_file is defined + +- name: set permissions on kerberos keytab + file: + path: "{{ krb_keytab_file }}" + state: file + owner: "{{ proxy_secrets_owner }}" + group: "{{ proxy_secrets_group }}" + mode: "{{ proxy_secrets_perms }}" + +- name: configure httpd + template: src=httpd-krbproxy.conf.j2 dest=/etc/httpd/conf.d/krbproxy.conf + notify: + - restart httpd + +- name: allow proxy port in selinux + shell: semanage port -a -t http_port_t -p tcp {{ proxy_port }} || true + +# Permanent rules aren't applied immediately. Starting with ansible 1.9, +# this ugliness can be replaced with permanent=true immediate=true. +- name: open required ports in the firewall + firewalld: port={{ proxy_port }}/tcp state=enabled permanent={{ item }} + with_items: + - true + - false + when: manage_firewall + +- name: ensure httpd is running + service: name=httpd state=started enabled=yes diff --git a/roles/osbs_kerberos_proxy/templates/httpd-krbproxy.conf.j2 b/roles/osbs_kerberos_proxy/templates/httpd-krbproxy.conf.j2 new file mode 100644 index 0000000000..049d66d3bb --- /dev/null +++ b/roles/osbs_kerberos_proxy/templates/httpd-krbproxy.conf.j2 @@ -0,0 +1,68 @@ +ServerName {{ ansible_fqdn }} +ProxyRequests Off +Listen {{ proxy_port }} + +{% if proxy_debug %} +## debugging +## in prod we should decrease verbosity +# DumpIOInput On +# DumpIOOutput On +LogLevel Debug +# LogLevel dumpio:trace7 +{% endif %} + + + DocumentRoot /var/www/html + + SSLEngine on + SSLCertificateFile {{ ssl_cert_file }} + SSLCertificateKeyFile {{ ssl_key_file }} + + SSLProxyEngine On +{% if proxy_machine_ca_file is defined %} + SSLProxyCACertificateFile {{ ssl_client_ca_file }} +{% endif %} +{% if proxy_machine_cert_file is defined %} + SSLProxyMachineCertificateFile {{ ssl_client_certkey_file }} +{% endif %} + + SetEnv proxy-sendchunked 1 + ProxyRequests Off + + ProxyPass {{ proxy_dest_url }} connectiontimeout=30 timeout=300 + ProxyPassReverse {{ proxy_dest_url }} + + + # don't auth /oauth/token/request and /oauth/token/display + + Require all granted + + + # /oauth/authorize and /oauth/approve should be protected by Apache. + + + Require all granted + RequestHeader set X-Remote-User {{ ansible_hostname }} + + + AuthType Kerberos + AuthName "{{ proxy_authname }}" + KrbMethodNegotiate on + KrbMethodK5Passwd {{ 'on' if proxy_enable_password_login else 'off' }} + KrbServiceName Any + KrbAuthRealms {{ kerberos_client_realm_name }} + Krb5Keytab {{ krb_keytab_file }} + Require valid-user + RequestHeader set X-Remote-User %{REMOTE_USER}s + + RequestHeader unset Authorization + RequestHeader unset WWW-Authenticate + + + # All other requests should use Bearer tokens. These can only be verified by + # OpenShift so we need to let these requests pass through. + + SetEnvIfNoCase Authorization Bearer passthrough + Require env passthrough + + diff --git a/roles/osbs_kerberos_proxy/templates/krb5.conf.j2 b/roles/osbs_kerberos_proxy/templates/krb5.conf.j2 new file mode 100644 index 0000000000..cddabe9bd8 --- /dev/null +++ b/roles/osbs_kerberos_proxy/templates/krb5.conf.j2 @@ -0,0 +1,23 @@ +[logging] + default = FILE:/var/log/krb5libs.log + kdc = FILE:/var/log/krb5kdc.log + admin_server = FILE:/var/log/kadmind.log + +[libdefaults] + default_realm = {{ kerberos_client_realm_name|upper() }} + dns_lookup_realm = {{ kerberos_client_dns_lookup_realm }} + dns_lookup_kdc = {{ kerberos_client_dns_lookup_kdc }} + ticket_lifetime = {{ kerberos_client_ticket_lifetime }} + renew_lifetime = {{ kerberos_client_renew_lifetime }} + forwardable = {{ kerberos_client_forwardable }} + +[realms] + {{ kerberos_client_realm_name|upper() }} = { + kdc = {{ kerberos_client_kdc_hostname }}.{{ kerberos_client_realm_name|lower() }} + admin_server = {{ kerberos_client_admin_hostname }}.{{ kerberos_client_realm_name|lower() }} + } + +[domain_realm] + .{{ kerberos_client_realm_name|lower() }} = {{ kerberos_client_realm_name|upper() }} + {{ kerberos_client_realm_name|lower() }} = {{ kerberos_client_realm_name|upper() }} + diff --git a/roles/osbs_kerberos_proxy/vars/main.yml b/roles/osbs_kerberos_proxy/vars/main.yml new file mode 100644 index 0000000000..0a685900de --- /dev/null +++ b/roles/osbs_kerberos_proxy/vars/main.yml @@ -0,0 +1,2 @@ +--- +docker_network: 172.17.42.1/16