Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

First run at stg OSBS for layered build system

Browse source
This commit is contained in:
Adam Miller 2015-07-13 16:29:03 +00:00
parent 10a3c2c8b3
commit 9cd22bd47e
25 changed files with 1057 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

13
playbooks/groups/osbs.yml
View file

@ -43,3 +43,16 @@
handlers: handlers:
- include: "{{ handlers }}/restart_services.yml" - include: "{{ handlers }}/restart_services.yml"
- name: apply common osbs configuration
hosts: osbs-stg
roles:
- osbs_common
- name: set up openshift build hosts
hosts: osbs-stg
roles:
- osbs_install_openshift_copr
# change behind_auth_proxy to true when using kerberos proxy
- { role: osbs_builder, behind_auth_proxy: false }

38
roles/osbs_builder/defaults/main.yml Normal file
View file

@ -0,0 +1,38 @@
---
# OSBS expects the build image to be named buildroot
buildroot_tag: buildroot
# create build image from source or pull it from a registry?
# see options below
buildroot_from_source: true
## for build_buildroot_from_source=false
buildroot_pull:
registry: registry.hub.docker.com
registry_insecure: false
image: mmilata/buildroot:latest
## for build_buildroot_from_source=true
buildroot_build:
# buildroot base image source
base_registry: registry.hub.docker.com
base_registry_insecure: false
base_image: library/fedora:latest
# allow retagging the base image to match FROM in Dockerfile
base_image_retag: fedora:latest
# buildroot dockerfile source
git_url: https://github.com/mmilata/osbs-buildroot-osv3.git
git_branch: master
git_subdir: ""
git_local_path: "{{ ansible_env.HOME }}/osbs-buildroot-docker"
## docker needs to know which registries are insecure
insecure_registries: []
# is authenticating proxy in front of us? if true, do not expose openshift port
# and require users to be authenticated
# set to false for debugging
behind_auth_proxy: true
# set to false if you don't use firewalld or do not want the playbook to modify it
manage_firewall: true

9
roles/osbs_builder/files/sysconfig-openshift-master Normal file
View file

@ -0,0 +1,9 @@
OPTIONS="--loglevel=3"
CONFIG_FILE=/etc/openshift/master/master-config.yaml
# Proxy configuration
# OpenShift uses standard HTTP_PROXY environment variables. Be sure to set
# NO_PROXY for your master
#NO_PROXY=master.example.com
#HTTP_PROXY=http://USER:PASSWORD@IPADDR:PORT
#HTTPS_PROXY=https://USER:PASSWORD@IPADDR:PORT

22
roles/osbs_builder/files/sysconfig-openshift-node Normal file
View file

@ -0,0 +1,22 @@
OPTIONS="--loglevel=3"
# /etc/openshift/node/ should contain the entire contents of
# /var/lib/openshift.local.certificates/node-${node-fqdn} generated by
# running 'openshift admin create-node-config' on your master
#
# If if your node is running on a separate host you can rsync the contents
# rsync -a root@openshift-master:/var/lib/openshift/openshift.local.certificates/node-`hostname`/ /etc/openshift/node
CONFIG_FILE=/etc/openshift/node/node-config.yaml
# The $DOCKER_NETWORK_OPTIONS variable is used by sdn plugins to set
# $DOCKER_NETWORK_OPTIONS variable in the /etc/sysconfig/docker-network
# Most plugins include their own defaults within the scripts
# TODO: More elegant solution like this
# https://github.com/coreos/flannel/blob/master/dist/mk-docker-opts.sh
# DOCKER_NETWORK_OPTIONS='-b=lbr0 --mtu=1450'
# Proxy configuration
# OpenShift uses standard HTTP_PROXY environment variables. Be sure to set
# NO_PROXY for your master
#NO_PROXY=master.example.com
#HTTP_PROXY=http://USER:PASSWORD@IPADDR:PORT
#HTTPS_PROXY=https://USER:PASSWORD@IPADDR:PORT

19
roles/osbs_builder/tasks/buildroot_from_source.yml Normal file
View file

@ -0,0 +1,19 @@
---
- name: pull buildroot base image
command: docker pull {{ buildroot_build.base_registry }}/{{ buildroot_build.base_image }}
- name: tag buildroot base image
command: docker tag -f {{ buildroot_build.base_registry }}/{{ buildroot_build.base_image }} {{ buildroot_build.base_image_retag }}
when: buildroot_base_image_retag is defined
- name: pull build image git repository
git:
repo: "{{ buildroot_build.git_url }}"
dest: "{{ buildroot_build.git_local_path }}"
version: "{{ buildroot_build.git_branch }}"
accept_hostkey: yes
register: buildroot_git_repo
- name: build buildroot
command: docker build --no-cache=true --tag={{ buildroot_tag }} {{ buildroot_build.git_local_path }}/{{ buildroot_build.git_subdir }}
when: buildroot_git_repo.changed

139
roles/osbs_builder/tasks/main.yml Normal file
View file

@ -0,0 +1,139 @@
---
- name: install packages required by osbs
yum: name={{ item }} state=installed
with_items:
- bind-utils
- iptables-services
- bridge-utils
- dock
- docker
- docker-registry
### docker service ###
- name: ensure docker is running
service: name=docker state=started enabled=yes
- name: configure docker
template: src=sysconfig-docker.j2 dest=/etc/sysconfig/docker
register: docker_sysconfig
- name: restart docker after changing configuration
service: name=docker state=restarted
when: docker_sysconfig.changed
### openshift service ###
# Permanent rules aren't applied immediately. Starting with ansible 1.9,
# these two rules can be merged into one with permanent=true immediate=true.
- name: open openshift port in the firewall
firewalld: port={{ openshift_port }}/tcp state=enabled permanent={{ item }}
with_items:
- true
- false
when: not behind_auth_proxy and manage_firewall
- name: close openshift port in the firewall
firewalld: port={{ openshift_port }}/tcp state=disabled permanent={{ item }}
with_items:
- true
- false
when: behind_auth_proxy and manage_firewall
- name: modifications in /etc/sysconfig/openshift
copy: src=sysconfig-openshift-{{ item }} dest=/etc/sysconfig/openshift-{{ item }}
with_items:
- master
- node
- name: generate basic openshift configuration and certificates
command: openshift start --write-config=/etc/openshift
args:
chdir: "{{ openshift_home }}"
creates: /etc/openshift/node-{{ ansible_fqdn }}/node-config.yaml
- name: link /etc/openshift/node to actual node directory
file: path=/etc/openshift/node src=/etc/openshift/node-{{ ansible_fqdn }} force=yes state=link
- name: configure openshift master
template: src=master.yaml.j2 dest=/etc/openshift/master/master-config.yaml
register: openshift_master_config
- name: configure openshift node
template: src=node.yaml.j2 dest=/etc/openshift/node/node-config.yaml
register: openshift_node_config
- name: generate cert for authenticating proxy - self-signed certificate
command: >
openssl req -new -nodes -x509
-subj "/C=CZ/ST=SelfSigned/L=SelfSigned/O=IT/CN={{ ansible_fqdn }}"
-days 3650
-keyout {{ proxy_auth_key_file }}
-out {{ proxy_auth_cert_file }}
-extensions v3_ca
args:
creates: "{{ proxy_auth_cert_file }}"
when: behind_auth_proxy and proxy_auth_generate_selfsigned
register: auth_proxy_cert
- name: generate cert for authenticating proxy - convert privkey to rsa
command: openssl rsa -in {{ proxy_auth_key_file }} -out {{ proxy_auth_key_file }}
when: auth_proxy_cert.changed
- name: restart openshift master after changing configuration
service: name=openshift-master state=restarted
when: openshift_master_config.changed
- name: restart openshift node after changing configuration
service: name=openshift-node state=restarted
when: openshift_node_config.changed
- name: ensure openshift is running
service: name=openshift-{{ item }} state=started enabled=yes
with_items:
- master
- node
- name: wait for openshift to start accepting connections
wait_for: port={{ openshift_port }} timeout=30
# Set up authorization policy. If we are behind proxy then assign authenticated
# users the "edit" role which can start builds and watch build logs.
# If we are not (=debug), add both authenticated and unauthenticated users to
# the role.
- name: openshift auth - clear
command: osadm policy remove-role-from-group edit system:authenticated system:unauthenticated
environment: osc_environment
register: command_result
failed_when: command_result.rc != 0 and "unable to locate RoleBinding" not in command_result.stderr
- name: openshift auth - make everyone cluster admin
command: osadm policy add-role-to-group edit system:unauthenticated system:authenticated
environment: osc_environment
when: not behind_auth_proxy
- name: openshift auth - authenticated users are cluster admins
command: osadm policy add-role-to-group edit system:authenticated
environment: osc_environment
when: behind_auth_proxy
# Useful when using "osc" to inspect openshift state.
- name: add OPENSHIFTCONFIG to .bashrc
lineinfile:
dest: "{{ ansible_env.HOME }}/.bashrc"
regexp: "export OPENSHIFTCONFIG="
line: "export OPENSHIFTCONFIG={{ kubeconfig_path }}"
### buildroot image ###
- name: pull buildroot image
command: docker pull {{ buildroot_pull.registry }}/{{ buildroot_pull.image }}
register: pull_buildroot
when: not buildroot_from_source
- name: tag buildroot image
command: docker tag -f {{ buildroot_pull.registry }}/{{ buildroot_pull.image }} {{ buildroot_tag }}
when: pull_buildroot.changed
- include: buildroot_from_source.yml
when: buildroot_from_source

127
roles/osbs_builder/templates/master.yaml.j2 Normal file
View file

@ -0,0 +1,127 @@
apiLevels:
- v1beta3
- v1beta1
- v1
apiVersion: v1
assetConfig:
logoutURL: ""
masterPublicURL: https://{{ ansible_default_ipv4.address }}:8443
publicURL: https://{{ ansible_default_ipv4.address }}:8443/console/
servingInfo:
bindAddress: 0.0.0.0:8443
certFile: master.server.crt
clientCA: ""
keyFile: master.server.key
corsAllowedOrigins:
- 127.0.0.1
- {{ ansible_default_ipv4.address }}:8443
- localhost
dnsConfig:
bindAddress: 0.0.0.0:53
etcdClientInfo:
ca: ca.crt
certFile: master.etcd-client.crt
keyFile: master.etcd-client.key
urls:
- https://{{ ansible_default_ipv4.address }}:4001
etcdConfig:
address: {{ ansible_default_ipv4.address }}:4001
peerAddress: {{ ansible_default_ipv4.address }}:7001
peerServingInfo:
bindAddress: 0.0.0.0:7001
certFile: etcd.server.crt
clientCA: ca.crt
keyFile: etcd.server.key
servingInfo:
bindAddress: 0.0.0.0:4001
certFile: etcd.server.crt
clientCA: ca.crt
keyFile: etcd.server.key
storageDirectory: /var/lib/openshift/openshift.local.etcd
etcdStorageConfig:
kubernetesStoragePrefix: kubernetes.io
kubernetesStorageVersion: v1beta3
openShiftStoragePrefix: openshift.io
openShiftStorageVersion: v1beta3
imageConfig:
format: openshift/origin-${component}:${version}
latest: false
kind: MasterConfig
kubeletClientInfo:
ca: ca.crt
certFile: master.kubelet-client.crt
keyFile: master.kubelet-client.key
port: 10250
kubernetesMasterConfig:
apiLevels:
- v1beta1
- v1beta2
- v1beta3
- v1
masterCount: 1
masterIP: {{ ansible_default_ipv4.address }}
podEvictionTimeout: 5m
schedulerConfigFile: ""
servicesSubnet: 172.30.0.0/16
staticNodeNames:
- {{ ansible_fqdn }}
masterClients:
deployerKubeConfig: openshift-deployer.kubeconfig
externalKubernetesKubeConfig: ""
openshiftLoopbackKubeConfig: openshift-client.kubeconfig
masterPublicURL: https://{{ ansible_default_ipv4.address }}:8443
networkConfig:
clusterNetworkCIDR: 10.1.0.0/16
hostSubnetLength: 8
networkPluginName: ""
oauthConfig:
assetPublicURL: https://{{ ansible_default_ipv4.address }}:8443/console/
grantConfig:
method: auto
identityProviders:
{% if behind_auth_proxy %}
- name: my_request_header_provider
challenge: false
login: false
provider:
apiVersion: v1
kind: RequestHeaderIdentityProvider
clientCA: {{ proxy_auth_ca_file | default('/etc/openshift/master/ca.crt') }}
headers:
- X-Remote-User
{% else %}
- challenge: true
login: true
name: anypassword
provider:
apiVersion: v1
kind: AllowAllPasswordIdentityProvider
{% endif %}
masterPublicURL: https://{{ ansible_default_ipv4.address }}:8443
masterURL: https://{{ ansible_default_ipv4.address }}:8443
sessionConfig:
sessionMaxAgeSeconds: 300
sessionName: ssn
sessionSecretsFile: ""
tokenConfig:
accessTokenMaxAgeSeconds: 86400
authorizeTokenMaxAgeSeconds: 300
policyConfig:
bootstrapPolicyFile: policy.json
openshiftSharedResourcesNamespace: openshift
projectConfig:
defaultNodeSelector: ""
projectRequestMessage: ""
projectRequestTemplate: ""
serviceAccountConfig:
managedNames:
- default
- builder
privateKeyFile: serviceaccounts.private.key
publicKeyFiles:
- serviceaccounts.public.key
servingInfo:
bindAddress: 0.0.0.0:8443
certFile: master.server.crt
clientCA: ca.crt
keyFile: master.server.key

20
roles/osbs_builder/templates/node.yaml.j2 Normal file
View file

@ -0,0 +1,20 @@
allowDisabledDocker: true
apiVersion: v1
dnsDomain: cluster.local
dnsIP: {{ ansible_default_ipv4.address }}
dockerConfig:
execHandlerName: native
imageConfig:
format: openshift/origin-${component}:${version}
latest: false
kind: NodeConfig
masterKubeConfig: node.kubeconfig
networkPluginName: ""
nodeName: {{ ansible_fqdn }}
podManifestConfig: null
servingInfo:
bindAddress: 0.0.0.0:10250
certFile: server.crt
clientCA: node-client-ca.crt
keyFile: server.key
volumeDirectory: /var/lib/openshift/openshift.local.volumes

32
roles/osbs_builder/templates/sysconfig-docker.j2 Normal file
View file

@ -0,0 +1,32 @@
# Modify these options if you want to change the way the docker daemon runs
OPTIONS='--selinux-enabled'
DOCKER_CERT_PATH=/etc/docker
# If you want to add your own registry to be used for docker search and docker pull use the
# ADD_REGISTRY option to list a set of comma separated registries.
# Note the last registry added will be the first regisry searched.
ADD_REGISTRY='--add-registry registry.access.redhat.com'
# If you want to block registries from being used, use the
# BLOCK_REGISTRY option to list a set of comma separated registries, and uncommenting
# it. For example adding docker.io will stop users from downloading images from docker.io
# BLOCK_REGISTRY='--block-registry public'
# If you have a registry secured with https but do not have proper certs destributed, you can
# tell docker to not look for full authorization by adding the registry to the
# INSECURE_REGISTRY line and uncommentin it.
INSECURE_REGISTRY='{% if buildroot_build.base_registry_insecure %}--insecure-registry {{ buildroot_build.base_registry }}{% elif buildroot_pull.registry_insecure %}--insecure--registry {{ buildroot_pull.registry }}{% endif %}{% for r in insecure_registries %} --insecure-registry {{ r }}{% endfor %}'
# On an SELinux system, if you remove the --selinux-enabled option, you
# also need to turn on the docker_transition_unconfined boolean.
# setsebool -P docker_transition_unconfined 1
# Location used for temporary files, such as those created by
# docker load and build operations. Default is /var/lib/docker/tmp
# Can be overriden by setting the following environment variable.
# DOCKER_TMPDIR=/var/tmp
# Controls the /etc/cron.daily/docker-logrotate cron job status.
# To disable, uncomment the line below.
# LOGROTATE=false

7
roles/osbs_builder/vars/main.yml Normal file
View file

@ -0,0 +1,7 @@
---
openshift_home: /var/lib/openshift
kubeconfig_path: /etc/openshift/master/admin.kubeconfig
openshift_port: 8443
osc_environment:
OPENSHIFTCONFIG: "{{ kubeconfig_path }}"

6
roles/osbs_common/defaults/main.yml Normal file
View file

@ -0,0 +1,6 @@
---
# set hostname of the machine
#hostname: example.org
# set to false if you don't use firewalld or do not want the playbook to modify it
manage_firewall: true

34
roles/osbs_common/tasks/main.yml Normal file
View file

@ -0,0 +1,34 @@
---
- name: set hostname
hostname: name={{ hostname }}
when: hostname is defined
- name: install basic packages
yum: name={{ item }} state=installed
with_items:
- vim
- tmux
- wget
- git
- net-tools
- yum-utils
- tree
- name: enable rhel7 repos
command: yum-config-manager --enable {{ item }}
with_items:
- rhel-7-server-optional-rpms
- rhel-7-server-extras-rpms
when: ansible_distribution == 'RedHat' and ansible_distribution_major_version == '7'
- name: enable epel7
yum: name={{ epel7_url }} state=installed
when: ansible_os_family == 'RedHat' and ansible_distribution_major_version == '7'
- name: install firewalld
yum: name=firewalld state=installed
when: manage_firewall
- name: enable firewalld
service: name=firewalld state=started enabled=yes
when: manage_firewall

2
roles/osbs_common/vars/main.yml Normal file
View file

@ -0,0 +1,2 @@
---
epel7_url: http://download.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm

2
roles/osbs_install_openshift_copr/defaults/main.yml Normal file
View file

@ -0,0 +1,2 @@
---
openshift_version: 0.5.4

9
roles/osbs_install_openshift_copr/tasks/main.yml Normal file
View file

@ -0,0 +1,9 @@
---
- name: copy repository file
template: src=mmilata-openshift.repo.j2 dest=/etc/yum.repos.d/mmilata-openshift.repo
- name: install openshift
yum: name={{ item }} state=installed
with_items:
- openshift-master
- openshift-node

8
roles/osbs_install_openshift_copr/templates/mmilata-openshift.repo.j2 Normal file
View file

@ -0,0 +1,8 @@
[mmilata-openshift]
name=Copr repo for openshift owned by mmilata
baseurl=https://copr-be.cloud.fedoraproject.org/results/mmilata/openshift/{{ (ansible_distribution == "Fedora") | ternary("fedora", "epel") }}-{{ ansible_distribution_major_version }}-$basearch/
skip_if_unavailable=True
gpgcheck=1
gpgkey=https://copr-be.cloud.fedoraproject.org/results/mmilata/openshift/pubkey.gpg
enabled=1

5
roles/osbs_install_openshift_source/defaults/main.yml Normal file
View file

@ -0,0 +1,5 @@
---
rpmbuild_dir: "{{ ansible_env.HOME }}/rpmbuild"
openshift_commit: 17a2e840914a9e2b0c2161e9f39efc22a043dec9
openshift_archive: openshift-{{ openshift_commit }}.tar.gz
openshift_version: 0.5.2

42
roles/osbs_install_openshift_source/tasks/main.yml Normal file
View file

@ -0,0 +1,42 @@
---
- name: install build packages
yum: name={{ item }} state=installed
with_items:
- rpm-build
- yum-utils
- rpmdevtools
- name: delete rpmbuild directories
file: path={{ rpmbuild_dir }}/{{ item }}/ state=absent
with_items:
- RPMS
- SRPMS
- BUILD
- BUILDROOT
- name: create rpmbuild directories
file: path={{ rpmbuild_dir }}/{{ item }}/ state=directory recurse=yes
with_items:
- SPECS
- SOURCES
- name: upload SPEC
template: src=openshift.spec.j2 dest={{ rpmbuild_dir }}/SPECS/openshift.spec
- name: install build dependencies
command: yum-builddep -y {{ rpmbuild_dir }}/SPECS/openshift.spec
- name: download openshift tarball
get_url:
url: https://github.com/openshift/origin/archive/{{ openshift_commit }}/{{ openshift_archive }}
dest: "{{ rpmbuild_dir }}/SOURCES/{{ openshift_archive }}"
- name: run build
command: rpmbuild -bb --clean {{ rpmbuild_dir }}/SPECS/openshift.spec
- name: find the RPMs
command: find {{ rpmbuild_dir }}/RPMS/ -type f
register: find_rpms
- name: install the RPMs
shell: yum -y localinstall {{ rpmbuild_dir }}/RPMS/x86_64/*openshift*.rpm

295
roles/osbs_install_openshift_source/templates/openshift.spec.j2 Normal file
View file

@ -0,0 +1,295 @@
#debuginfo not supported with Go
%global debug_package %{nil}
%global gopath %{_datadir}/gocode
%global import_path github.com/openshift/origin
%global kube_plugin_path /usr/libexec/kubernetes/kubelet-plugins/net/exec/redhat~openshift-ovs-subnet
%global sdn_import_path github.com/openshift/openshift-sdn
# %commit and %ldflags are intended to be set by tito custom builders provided
# in the rel-eng directory. The values in this spec file will not be kept up to date.
%{!?commit:
%global commit {{ openshift_commit }}
}
%global shortcommit %(c=%{commit}; echo ${c:0:7})
# OpenShift specific ldflags from hack/common.sh os::build:ldflags
%{!?ldflags:
%global ldflags -X github.com/openshift/origin/pkg/version.majorFromGit 0 -X github.com/openshift/origin/pkg/version.minorFromGit 0+ -X github.com/openshift/origin/pkg/version.versionFromGit v{{ openshift_version }} -X github.com/openshift/origin/pkg/version.commitFromGit {{ openshift_commit | truncate(7, True, '') }} -X github.com/GoogleCloudPlatform/kubernetes/pkg/version.gitCommit 6241a21 -X github.com/GoogleCloudPlatform/kubernetes/pkg/version.gitVersion v0.11.0-330-g6241a21
}
Name: openshift
# Version is not kept up to date and is intended to be set by tito custom
# builders provided in the rel-eng directory of this project
Version: {{ openshift_version }}
Release: 0%{?dist}
Summary: Open Source Platform as a Service by Red Hat
License: ASL 2.0
URL: https://%{import_path}
ExclusiveArch: x86_64
Source0: https://%{import_path}/archive/%{commit}/%{name}-%{commit}.tar.gz
BuildRequires: systemd
BuildRequires: golang >= 1.2-7
#XXX upstream has golang >= 1.4 but it's not in rhel7 (yet)
%description
%{summary}
%package master
Summary: OpenShift Master
Requires: %{name} = %{version}-%{release}
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
%description master
%{summary}
%package node
Summary: OpenShift Node
Requires: %{name} = %{version}-%{release}
Requires: docker-io >= 1.6.0
Requires: tuned-profiles-openshift-node
Requires: util-linux
Requires: socat
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
%description node
%{summary}
%package -n tuned-profiles-openshift-node
Summary: Tuned profiles for OpenShift Node hosts
Requires: tuned >= 2.3
Requires: %{name} = %{version}-%{release}
%description -n tuned-profiles-openshift-node
%{summary}
%package clients
Summary: Openshift Client binaries for Linux, Mac OSX, and Windows
BuildRequires: golang-pkg-darwin-amd64
BuildRequires: golang-pkg-windows-386
%description clients
%{summary}
%package dockerregistry
Summary: Docker Registry v2 for OpenShift
Requires: %{name} = %{version}-%{release}
%description dockerregistry
%{summary}
%package pod
Summary: OpenShift Pod
Requires: openshift = %{version}-%{release}
%description pod
%{summary}
%prep
%setup -qn origin-%{commit}
%build
# Don't judge me for this ... it's so bad.
mkdir _build
# Horrid hack because golang loves to just bundle everything
pushd _build
mkdir -p src/github.com/openshift
ln -s $(dirs +1 -l) src/%{import_path}
popd
# Gaming the GOPATH to include the third party bundled libs at build
# time. This is bad and I feel bad.
mkdir _thirdpartyhacks
pushd _thirdpartyhacks
ln -s \
$(dirs +1 -l)/Godeps/_workspace/src/ \
src
popd
export GOPATH=$(pwd)/_build:$(pwd)/_thirdpartyhacks:%{buildroot}%{gopath}:%{gopath}
# Build all linux components we care about
for cmd in openshift dockerregistry
do
go install -ldflags "%{ldflags}" %{import_path}/cmd/${cmd}
done
# Build only 'openshift' for other platforms
GOOS=windows GOARCH=386 go install -ldflags "%{ldflags}" %{import_path}/cmd/openshift
GOOS=darwin GOARCH=amd64 go install -ldflags "%{ldflags}" %{import_path}/cmd/openshift
#Build our pod
pushd images/pod/
go build -ldflags "%{ldflags}" pod.go
popd
%install
install -d %{buildroot}%{_bindir}
install -d %{buildroot}%{_datadir}/%{name}/{linux,macosx,windows}
# Install linux components
for bin in openshift dockerregistry
do
echo "+++ INSTALLING ${bin}"
install -p -m 755 _build/bin/${bin} %{buildroot}%{_bindir}/${bin}
done
# Install 'openshift' as client executable for windows and mac
install -p -m 755 _build/bin/openshift %{buildroot}%{_datadir}/%{name}/linux/osc
install -p -m 755 _build/bin/darwin_amd64/openshift %{buildroot}%{_datadir}/%{name}/macosx/osc
install -p -m 755 _build/bin/windows_386/openshift.exe %{buildroot}%{_datadir}/%{name}/windows/osc.exe
#Install openshift pod
install -p -m 755 images/pod/pod %{buildroot}%{_bindir}/
install -d -m 0755 %{buildroot}/etc/%{name}/{master,node}
install -d -m 0755 %{buildroot}%{_unitdir}
install -m 0644 -t %{buildroot}%{_unitdir} rel-eng/openshift-master.service
install -m 0644 -t %{buildroot}%{_unitdir} rel-eng/openshift-node.service
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
install -m 0644 rel-eng/openshift-master.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/openshift-master
install -m 0644 rel-eng/openshift-node.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/openshift-node
mkdir -p %{buildroot}%{_sharedstatedir}/%{name}
ln -s %{_bindir}/openshift %{buildroot}%{_bindir}/osc
ln -s %{_bindir}/openshift %{buildroot}%{_bindir}/osadm
install -d -m 0755 %{buildroot}%{_prefix}/lib/tuned/openshift-node-{guest,host}
install -m 0644 tuned/openshift-node-guest/tuned.conf %{buildroot}%{_prefix}/lib/tuned/openshift-node-guest/
install -m 0644 tuned/openshift-node-host/tuned.conf %{buildroot}%{_prefix}/lib/tuned/openshift-node-host/
install -d -m 0755 %{buildroot}%{_mandir}/man7
install -m 0644 tuned/man/tuned-profiles-openshift-node.7 %{buildroot}%{_mandir}/man7/tuned-profiles-openshift-node.7
# Install sdn scripts for node subpackage
install -d -m 0755 %{buildroot}%{kube_plugin_path}
pushd _thirdpartyhacks/src/%{sdn_import_path}/ovssubnet/bin
install -p -m 755 openshift-ovs-subnet %{buildroot}%{kube_plugin_path}/openshift-ovs-subnet
install -p -m 755 openshift-sdn-kube-subnet-setup.sh %{buildroot}%{_bindir}/
install -p -m 755 openshift-sdn-simple-setup-node.sh %{buildroot}%{_bindir}/
popd
%files
%defattr(-,root,root,-)
%doc README.md LICENSE
%{_bindir}/openshift
%{_bindir}/osc
%{_bindir}/osadm
%{_sharedstatedir}/%{name}
%files master
%defattr(-,root,root,-)
%{_unitdir}/openshift-master.service
%config(noreplace) %{_sysconfdir}/sysconfig/openshift-master
%config(noreplace) /etc/%{name}/master
%post master
%systemd_post %{basename:openshift-master.service}
%preun master
%systemd_preun %{basename:openshift-master.service}
%postun master
%systemd_postun
%files node
%defattr(-,root,root,-)
%{_unitdir}/openshift-node.service
%config(noreplace) %{_sysconfdir}/sysconfig/openshift-node
%config(noreplace) /etc/%{name}/node
%{_bindir}/openshift-sdn-simple-setup-node.sh
%{_bindir}/openshift-sdn-kube-subnet-setup.sh
%{kube_plugin_path}/openshift-ovs-subnet
%post node
%systemd_post %{basename:openshift-node.service}
%preun node
%systemd_preun %{basename:openshift-node.service}
%postun node
%systemd_postun
%files -n tuned-profiles-openshift-node
%defattr(-,root,root,-)
%{_prefix}/lib/tuned/openshift-node-host
%{_prefix}/lib/tuned/openshift-node-guest
%{_mandir}/man7/tuned-profiles-openshift-node.7*
%post -n tuned-profiles-openshift-node
recommended=`/usr/sbin/tuned-adm recommend`
if [[ "${recommended}" =~ guest ]] ; then
/usr/sbin/tuned-adm profile openshift-node-guest > /dev/null 2>&1
else
/usr/sbin/tuned-adm profile openshift-node-host > /dev/null 2>&1
fi
%preun -n tuned-profiles-openshift-node
# reset the tuned profile to the recommended profile
# $1 = 0 when we're being removed > 0 during upgrades
if [ "$1" = 0 ]; then
recommended=`/usr/sbin/tuned-adm recommend`
/usr/sbin/tuned-adm profile $recommended > /dev/null 2>&1
fi
%files clients
%{_datadir}/%{name}/linux/osc
%{_datadir}/%{name}/macosx/osc
%{_datadir}/%{name}/windows/osc.exe
%files dockerregistry
%defattr(-,root,root,-)
%{_bindir}/dockerregistry
%files pod
%defattr(-,root,root,-)
%{_bindir}/pod
%changelog
* Mon Jan 26 2015 Scott Dodson <sdodson@redhat.com> 0.2-3
- Update to 21fb40637c4e3507cca1fcab6c4d56b06950a149
- Split packaging of openshift-master and openshift-node
* Mon Jan 19 2015 Scott Dodson <sdodson@redhat.com> 0.2-2
- new package built with tito
* Fri Jan 09 2015 Adam Miller <admiller@redhat.com> - 0.2-2
- Add symlink for osc command line tooling (merged in from jhonce@redhat.com)
* Wed Jan 07 2015 Adam Miller <admiller@redhat.com> - 0.2-1
- Update to latest upstream release
- Restructured some of the golang deps build setup for restructuring done
upstream
* Thu Oct 23 2014 Adam Miller <admiller@redhat.com> - 0-0.0.9.git562842e
- Add new patches from jhonce for systemd units
* Mon Oct 20 2014 Adam Miller <admiller@redhat.com> - 0-0.0.8.git562842e
- Update to latest master snapshot
* Wed Oct 15 2014 Adam Miller <admiller@redhat.com> - 0-0.0.7.git7872f0f
- Update to latest master snapshot
* Fri Oct 03 2014 Adam Miller <admiller@redhat.com> - 0-0.0.6.gite4d4ecf
- Update to latest Alpha nightly build tag 20141003
* Wed Oct 01 2014 Adam Miller <admiller@redhat.com> - 0-0.0.5.git6d9f1a9
- Switch to consistent naming, patch by jhonce
* Tue Sep 30 2014 Adam Miller <admiller@redhat.com> - 0-0.0.4.git6d9f1a9
- Add systemd and sysconfig entries from jhonce
* Tue Sep 23 2014 Adam Miller <admiller@redhat.com> - 0-0.0.3.git6d9f1a9
- Update to latest upstream.
* Mon Sep 15 2014 Adam Miller <admiller@redhat.com> - 0-0.0.2.git2647df5
- Update to latest upstream.
* Thu Aug 14 2014 Adam Miller <admiller@redhat.com> - 0-0.0.1.gitc3839b8
- First package

43
roles/osbs_kerberos_proxy/defaults/main.yml Normal file
View file

@ -0,0 +1,43 @@
---
# generate self-signed certificates? useful for debugging
ssl_generate_selfsigned: false
ssl_cert_file: /etc/pki/tls/certs/{{ ansible_fqdn }}.crt
ssl_key_file: /etc/pki/tls/private/{{ ansible_fqdn }}.key
ssl_client_certkey_file: /etc/httpd/krbproxy_certkey.crt
ssl_client_ca_file: /etc/httpd/krbproxy_ca.crt
proxy_port: 9443
proxy_dest_url: https://127.0.0.1:8443/
proxy_authname: Kerberos Authentication
# used for mutually authenticating the proxy and the proxied machine
# no authentication happens when unset
#proxy_machine_ca_file: /var/lib/openshift/openshift.local.certificates/ca/cert.crt
#proxy_machine_cert_file: /var/lib/openshift/openshift.local.certificates/openshift-client/cert.crt
#proxy_machine_key_file: /var/lib/openshift/openshift.local.certificates/openshift-client/key.key
# if no ticket is supplied, fall back to basic authentication by login+password
# (through kerberos)
proxy_enable_password_login: false
proxy_secrets_owner: apache
proxy_secrets_group: root
proxy_secrets_perms: "0600"
krb_keytab_file: /etc/httpd/HTTP-{{ ansible_fqdn }}.keytab
kerberos_client_realm_name: EXAMPLE.COM
kerberos_client_kdc_hostname: kerberos
kerberos_client_admin_hostname: kerberos
kerberos_client_dns_lookup_realm: false
kerberos_client_dns_lookup_kdc: false
kerberos_client_ticket_lifetime: 24h
kerberos_client_renew_lifetime: 7d
kerberos_client_forwardable: true
# extra verbose httpd logs?
proxy_debug: false
# set to false if you don't use firewalld or do not want the playbook to modify it
manage_firewall: true

3
roles/osbs_kerberos_proxy/handlers/main.yml Normal file
View file

@ -0,0 +1,3 @@
---
- name: restart httpd
service: name=httpd state=restarted

89
roles/osbs_kerberos_proxy/tasks/main.yml Normal file
View file

@ -0,0 +1,89 @@
---
- name: ensure required packages are installed
yum: name={{ item }} state=present
with_items:
# kerberos
- krb5-workstation
# httpd
- httpd
- mod_ssl
- mod_auth_kerb
# selinux
- policycoreutils-python
# Based on https://github.com/bennojoy/kerberos_client
# BSD licensed
- name: configure kerberos client
template: src=krb5.conf.j2 dest=/etc/krb5.conf
- name: generate self-signed certificate
command: >
openssl req -new -nodes -x509
-subj "/C=CZ/ST=SelfSigned/L=SelfSigned/O=IT/CN={{ ansible_fqdn }}"
-days 3650
-keyout {{ ssl_key_file }}
-out {{ ssl_cert_file }}
-extensions v3_ca
args:
creates: "{{ ssl_cert_file }}"
when: ssl_generate_selfsigned
notify:
- restart httpd
# TODO: The private key is world readable after it is generated but before this task finishes.
# We should use umask/private directory to protect it.
- name: set permissions on private key
file:
path: "{{ ssl_key_file }}"
state: file
owner: "{{ proxy_secrets_owner }}"
group: "{{ proxy_secrets_group }}"
mode: "{{ proxy_secrets_perms }}"
- name: create proxy client cert+key file
shell: cat {{ proxy_machine_cert_file }} {{ proxy_machine_key_file}} > {{ ssl_client_certkey_file }}
when: proxy_machine_cert_file is defined
register: certkey_file
notify:
- restart httpd
- name: set permissions on client cert+key
file:
path: "{{ ssl_client_certkey_file }}"
state: file
owner: "{{ proxy_secrets_owner }}"
group: "{{ proxy_secrets_group }}"
mode: "{{ proxy_secrets_perms }}"
when: certkey_file.changed
- name: copy client CA file
command: cp {{ proxy_machine_ca_file }} {{ ssl_client_ca_file }}
when: proxy_machine_ca_file is defined
- name: set permissions on kerberos keytab
file:
path: "{{ krb_keytab_file }}"
state: file
owner: "{{ proxy_secrets_owner }}"
group: "{{ proxy_secrets_group }}"
mode: "{{ proxy_secrets_perms }}"
- name: configure httpd
template: src=httpd-krbproxy.conf.j2 dest=/etc/httpd/conf.d/krbproxy.conf
notify:
- restart httpd
- name: allow proxy port in selinux
shell: semanage port -a -t http_port_t -p tcp {{ proxy_port }} || true
# Permanent rules aren't applied immediately. Starting with ansible 1.9,
# this ugliness can be replaced with permanent=true immediate=true.
- name: open required ports in the firewall
firewalld: port={{ proxy_port }}/tcp state=enabled permanent={{ item }}
with_items:
- true
- false
when: manage_firewall
- name: ensure httpd is running
service: name=httpd state=started enabled=yes

68
roles/osbs_kerberos_proxy/templates/httpd-krbproxy.conf.j2 Normal file
View file

@ -0,0 +1,68 @@
ServerName {{ ansible_fqdn }}
ProxyRequests Off
Listen {{ proxy_port }}
{% if proxy_debug %}
## debugging
## in prod we should decrease verbosity
# DumpIOInput On
# DumpIOOutput On
LogLevel Debug
# LogLevel dumpio:trace7
{% endif %}
<VirtualHost *:{{ proxy_port }}>
DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile {{ ssl_cert_file }}
SSLCertificateKeyFile {{ ssl_key_file }}
SSLProxyEngine On
{% if proxy_machine_ca_file is defined %}
SSLProxyCACertificateFile {{ ssl_client_ca_file }}
{% endif %}
{% if proxy_machine_cert_file is defined %}
SSLProxyMachineCertificateFile {{ ssl_client_certkey_file }}
{% endif %}
SetEnv proxy-sendchunked 1
ProxyRequests Off
<Location "/">
ProxyPass {{ proxy_dest_url }} connectiontimeout=30 timeout=300
ProxyPassReverse {{ proxy_dest_url }}
</Location>
# don't auth /oauth/token/request and /oauth/token/display
<ProxyMatch /oauth/token/.*>
Require all granted
</ProxyMatch>
# /oauth/authorize and /oauth/approve should be protected by Apache.
<ProxyMatch /oauth/a.*>
<If "-R '{{ ansible_default_ipv4.address }}' || -R '{{ docker_network }}'">
Require all granted
RequestHeader set X-Remote-User {{ ansible_hostname }}
</If>
<Else>
AuthType Kerberos
AuthName "{{ proxy_authname }}"
KrbMethodNegotiate on
KrbMethodK5Passwd {{ 'on' if proxy_enable_password_login else 'off' }}
KrbServiceName Any
KrbAuthRealms {{ kerberos_client_realm_name }}
Krb5Keytab {{ krb_keytab_file }}
Require valid-user
RequestHeader set X-Remote-User %{REMOTE_USER}s
</Else>
RequestHeader unset Authorization
RequestHeader unset WWW-Authenticate
</ProxyMatch>
# All other requests should use Bearer tokens. These can only be verified by
# OpenShift so we need to let these requests pass through.
<ProxyMatch ^/oauth/>
SetEnvIfNoCase Authorization Bearer passthrough
Require env passthrough
</ProxyMatch>
</VirtualHost>

23
roles/osbs_kerberos_proxy/templates/krb5.conf.j2 Normal file
View file

@ -0,0 +1,23 @@
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = {{ kerberos_client_realm_name|upper() }}
dns_lookup_realm = {{ kerberos_client_dns_lookup_realm }}
dns_lookup_kdc = {{ kerberos_client_dns_lookup_kdc }}
ticket_lifetime = {{ kerberos_client_ticket_lifetime }}
renew_lifetime = {{ kerberos_client_renew_lifetime }}
forwardable = {{ kerberos_client_forwardable }}
[realms]
{{ kerberos_client_realm_name|upper() }} = {
kdc = {{ kerberos_client_kdc_hostname }}.{{ kerberos_client_realm_name|lower() }}
admin_server = {{ kerberos_client_admin_hostname }}.{{ kerberos_client_realm_name|lower() }}
}
[domain_realm]
.{{ kerberos_client_realm_name|lower() }} = {{ kerberos_client_realm_name|upper() }}
{{ kerberos_client_realm_name|lower() }} = {{ kerberos_client_realm_name|upper() }}

2
roles/osbs_kerberos_proxy/vars/main.yml Normal file
View file

@ -0,0 +1,2 @@
---
docker_network: 172.17.42.1/16