remove osbs-secrets role, it's not doing what we need
Signed-off-by: Adam Miller <admiller@redhat.com>
This commit is contained in:
Adam Miller
parent
0757b47a15
commit
a3b31cc39d
8 changed files with 107 additions and 188 deletions
|
|
@ -112,11 +112,3 @@ osbs_nodes: "{{ groups['osbs-orchestrator-' + env + '-nodes'] }}"
|
|||
osbs_orchestrator_default_nodeselector: "orchestrator=true"
|
||||
osbs_worker_default_nodeselector: "worker=true"
|
||||
|
||||
|
||||
osbs_secret_files_list:
|
||||
- source: "{{ private }}/groups/osbs-{{ env }}/koji/cert"
|
||||
dest: cert
|
||||
- source: "{{ private }}/groups/osbs-{{ env }}/koji/ca"
|
||||
dest: ca
|
||||
- source: "{{ private }}/groups/osbs-{{ env }}/koji/serverca"
|
||||
dest: serverca
|
||||
|
|
|
|||
|
|
@ -265,15 +265,6 @@
|
|||
when: env == 'staging'
|
||||
tags: ['openshift-cluster','ansible-ansible-openshift-ansible']
|
||||
|
||||
tasks:
|
||||
- name: place osbs_secret_files if they do not exist
|
||||
copy:
|
||||
src: "{{item.source}}"
|
||||
dest: "{{item.dest}}"
|
||||
with_items: "{{ osbs_secret_files_list }}"
|
||||
tags:
|
||||
- oc
|
||||
|
||||
- name: Setup OSBS requirements for OpenShift cluster hosts
|
||||
hosts: osbs-orchestrators-stg:osbs-workers-stg
|
||||
tags:
|
||||
|
|
@ -379,11 +370,6 @@
|
|||
osbs_sources_command: "fedpkg sources"
|
||||
osbs_nodeselector: "{{ osbs_orchestrator_default_nodeselector|default('') }}"
|
||||
|
||||
- role: osbs-secret
|
||||
osbs_namespace: "{{ osbs_worker_namespace }}"
|
||||
osbs_secret_name: "{{ koji_secret_name }}"
|
||||
osbs_secret_files: "{{ osbs_secret_files_list }}"
|
||||
|
||||
- name: setup worker namespace
|
||||
hosts: osbsworker-x86-64-masters-stg[0]
|
||||
tags:
|
||||
|
|
@ -440,17 +426,6 @@
|
|||
osbs_cpu_limitrange: "{{ os_cpu_limitrange }}"
|
||||
osbs_nodeselector: "{{ osbs_orchestrator_default_nodeselector|default('') }}"
|
||||
|
||||
- role: osbs-secret
|
||||
osbs_namespace: "{{ osbs_worker_namespace }}"
|
||||
osbs_secret_name: kojisecret
|
||||
osbs_secret_files:
|
||||
- source: "{{ private }}/groups/osbs-{{ env }}/koji/cert"
|
||||
dest: cert
|
||||
- source: "{{ private }}/groups/osbs-{{ env }}/koji/ca"
|
||||
dest: ca
|
||||
- source: "{{ private }}/groups/osbs-{{ env }}/koji/serverca"
|
||||
dest: serverca
|
||||
|
||||
- name: Setup Koji auth for OpenShift Orchestrator
|
||||
hosts: osbs-masters-stg[0]:osbsworker-x86-64-masters-stg[0]
|
||||
tags:
|
||||
|
|
@ -476,6 +451,113 @@
|
|||
args:
|
||||
creates: "/etc/origin/atomic-reactor-policy-added"
|
||||
|
||||
- name: post-install orchestrator master host osbs tasks
|
||||
hosts: osbs-masters-stg[0]
|
||||
tags:
|
||||
- osbs-post-install
|
||||
vars_files:
|
||||
- /srv/web/infra/ansible/vars/global.yml
|
||||
- /srv/private/ansible/vars.yml
|
||||
- /srv/private/ansible/files/openstack/passwords.yml
|
||||
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
|
||||
vars:
|
||||
osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
|
||||
osbs_environment:
|
||||
KUBECONFIG: "{{ osbs_kubeconfig_path }}"
|
||||
koji_pki_dir: /etc/pki/koji
|
||||
koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert"
|
||||
koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem"
|
||||
koji_builder_user: dockerbuilder
|
||||
osbs_builder_user: builder
|
||||
|
||||
|
||||
handlers:
|
||||
- name: oc secrets new
|
||||
shell: "oc secrets new koji cert={{ koji_cert_path }} ca={{ koji_ca_cert_path }} serverca={{ koji_ca_cert_path }} --namespace={{osbs_orchestrator_namespace}}"
|
||||
environment: "{{ osbs_environment }}"
|
||||
notify: oc secrets add
|
||||
|
||||
- name: oc secrets add
|
||||
shell: "oc secrets add serviceaccount/{{ osbs_builder_user }} secrets/koji --for=mount --namespace={{osbs_orchestrator_namespace}}"
|
||||
environment: "{{ osbs_environment }}"
|
||||
|
||||
tasks:
|
||||
- name: Ensure koji dockerbuilder cert path exists
|
||||
file:
|
||||
path: "{{ koji_pki_dir }}"
|
||||
state: "directory"
|
||||
mode: 0400
|
||||
|
||||
- name: Add koji dockerbuilder cert for Content Generator import
|
||||
copy:
|
||||
src: "{{private}}/files/koji/containerbuild.pem"
|
||||
dest: "{{ koji_cert_path }}"
|
||||
notify: oc secrets new
|
||||
|
||||
- name: Add koji dockerbuilder ca cert for Content Generator import
|
||||
copy:
|
||||
src: "{{private}}/files/koji/buildercerts/fedora-ca.cert"
|
||||
dest: "{{ koji_ca_cert_path }}"
|
||||
notify: oc secrets new
|
||||
|
||||
- name: cron entry to clean up old builds
|
||||
copy:
|
||||
src: "{{files}}/osbs/cleanup-old-osbs-builds"
|
||||
dest: "/etc/cron.d/cleanup-old-osbs-builds"
|
||||
|
||||
- name: post-install worker master host osbs tasks
|
||||
hosts: osbsworker-x86-64-masters-stg[0]
|
||||
tags:
|
||||
- osbs-post-install
|
||||
vars_files:
|
||||
- /srv/web/infra/ansible/vars/global.yml
|
||||
- /srv/private/ansible/vars.yml
|
||||
- /srv/private/ansible/files/openstack/passwords.yml
|
||||
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
|
||||
vars:
|
||||
osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
|
||||
osbs_environment:
|
||||
KUBECONFIG: "{{ osbs_kubeconfig_path }}"
|
||||
koji_pki_dir: /etc/pki/koji
|
||||
koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert"
|
||||
koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem"
|
||||
koji_builder_user: dockerbuilder
|
||||
osbs_builder_user: builder
|
||||
|
||||
|
||||
handlers:
|
||||
- name: oc secrets new
|
||||
shell: "oc secrets new koji cert={{ koji_cert_path }} ca={{ koji_ca_cert_path }} serverca={{ koji_ca_cert_path }} --namespace={{osbs_worker_namespace}}"
|
||||
environment: "{{ osbs_environment }}"
|
||||
notify: oc secrets add
|
||||
|
||||
- name: oc secrets add
|
||||
shell: "oc secrets add serviceaccount/{{ osbs_builder_user }} secrets/koji --for=mount --namespace={{osbs_worker_namespace}}"
|
||||
environment: "{{ osbs_environment }}"
|
||||
|
||||
tasks:
|
||||
- name: Ensure koji dockerbuilder cert path exists
|
||||
file:
|
||||
path: "{{ koji_pki_dir }}"
|
||||
state: "directory"
|
||||
mode: 0400
|
||||
|
||||
- name: Add koji dockerbuilder cert for Content Generator import
|
||||
copy:
|
||||
src: "{{private}}/files/koji/containerbuild.pem"
|
||||
dest: "{{ koji_cert_path }}"
|
||||
notify: oc secrets new
|
||||
|
||||
- name: Add koji dockerbuilder ca cert for Content Generator import
|
||||
copy:
|
||||
src: "{{private}}/files/koji/buildercerts/fedora-ca.cert"
|
||||
dest: "{{ koji_ca_cert_path }}"
|
||||
notify: oc secrets new
|
||||
|
||||
- name: cron entry to clean up old builds
|
||||
copy:
|
||||
src: "{{files}}/osbs/cleanup-old-osbs-builds"
|
||||
dest: "/etc/cron.d/cleanup-old-osbs-builds"
|
||||
|
||||
- name: Manage docker images and image stream
|
||||
hosts: osbs-masters-stg[0]:osbsworker-x86-64-masters-stg[0]
|
||||
|
|
|
|||
|
|
@ -1,70 +0,0 @@
|
|||
osbs-secret
|
||||
===========
|
||||
|
||||
This role imports various secrets, such as Pulp or Koji certificates, from
|
||||
filesystem into OpenShift. See the [OSBS
|
||||
documentation](https://github.com/projectatomic/osbs-client/blob/master/docs/secret.md)
|
||||
for more information.
|
||||
|
||||
This role is part of
|
||||
[ansible-osbs](https://github.com/projectatomic/ansible-osbs/) playbook for
|
||||
deploying OpenShift build service. Please refer to that github repository for
|
||||
[documentation](https://github.com/projectatomic/ansible-osbs/blob/master/README.md)
|
||||
and [issue tracker](https://github.com/projectatomic/ansible-osbs/issues).
|
||||
|
||||
Role Variables
|
||||
--------------
|
||||
|
||||
The role imports the keys from the machine running ansible. You have to provide
|
||||
`osbs_secret_files` list, which enumerates what files to import. Elements of
|
||||
the list are dictionaries with two keys: `source` and `dest`. Source is the
|
||||
location of the file on the machine where ansible is run. Dest is the filename
|
||||
of the secret.
|
||||
|
||||
osbs_secret_files:
|
||||
- source: /home/user/.pulp/pulp.cer
|
||||
dest: pulp.cer
|
||||
- source: /home/user/.pulp/pulp.key
|
||||
dest: pulp.key
|
||||
|
||||
The name of the secret in OpenShift is defined by the `osbs_secret_name`
|
||||
variable.
|
||||
|
||||
osbs_secret_name: pulpsecret
|
||||
|
||||
The secret has to be associated with a service account. This service account
|
||||
can be set by the `osbs_secret_service_account` variable.
|
||||
|
||||
osbs_secret_service_account: builder
|
||||
|
||||
We need a kubeconfig file on the remote machine in order to talk to OpenShift.
|
||||
Its location is contained in the `pulp_secret_kubeconfig`.
|
||||
|
||||
osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
|
||||
|
||||
Example Playbook
|
||||
----------------
|
||||
|
||||
Following playbook imports the keys from my home directory on the machine where
|
||||
ansible is executed. You may need to run something like this after the current
|
||||
set of keys expires.
|
||||
|
||||
- hosts: builders
|
||||
roles:
|
||||
- role: osbs-secret
|
||||
osbs_secret_name: pulpsecret
|
||||
osbs_secret_files:
|
||||
- source: /home/mmilata/.pulp/pulp.cer
|
||||
dest: pulp.cer
|
||||
- source: {{ pulp_secret_local_dir }}/pulp.key
|
||||
dest: pulp.key
|
||||
|
||||
License
|
||||
-------
|
||||
|
||||
BSD
|
||||
|
||||
Author Information
|
||||
------------------
|
||||
|
||||
Martin Milata <mmilata@redhat.com>
|
||||
|
|
@ -1,17 +0,0 @@
|
|||
---
|
||||
osbs_secret_name: pulpsecret
|
||||
osbs_secret_type: Opaque
|
||||
osbs_secret_service_account: builder
|
||||
osbs_secret_remote_dir: /var/lib/origin
|
||||
osbs_secret_can_fail: false
|
||||
|
||||
osbs_secret_files:
|
||||
- source: /home/user/.pulp/pulp.cer
|
||||
dest: pulp.cer
|
||||
- source: /home/user/.pulp/pulp.key
|
||||
dest: pulp.key
|
||||
|
||||
osbs_namespace: default
|
||||
osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
|
||||
osbs_environment:
|
||||
KUBECONFIG: "{{ osbs_kubeconfig_path }}"
|
||||
|
|
@ -1,22 +0,0 @@
|
|||
---
|
||||
- name: import osbs secret
|
||||
command: >
|
||||
oc replace
|
||||
--namespace={{ osbs_namespace }}
|
||||
--force=true
|
||||
--filename={{ osbs_secret_remote_dir }}/openshift-secret-{{ inventory_hostname }}-{{ osbs_namespace }}-{{ osbs_secret_name }}.yml
|
||||
environment: "{{ osbs_environment }}"
|
||||
notify: allow service account
|
||||
|
||||
- name: allow service account
|
||||
command: >
|
||||
oc secrets
|
||||
add serviceaccount/{{ osbs_secret_service_account }} secrets/{{ osbs_secret_name }}
|
||||
--for=mount
|
||||
--namespace={{ osbs_namespace }}
|
||||
environment: "{{ osbs_environment }}"
|
||||
|
||||
- name: delete secret resource file
|
||||
file:
|
||||
path: "{{ osbs_secret_remote_dir }}/openshift-secret-{{ inventory_hostname }}-{{ osbs_namespace }}-{{ osbs_secret_name }}.yml"
|
||||
state: absent
|
||||
|
|
@ -1,21 +0,0 @@
|
|||
---
|
||||
galaxy_info:
|
||||
author: Martin Milata
|
||||
description: Import secrets from local filesystem into OpenShift.
|
||||
company: Red Hat
|
||||
issue_tracker_url: https://github.com/projectatomic/ansible-osbs/issues
|
||||
license: BSD
|
||||
min_ansible_version: 1.2
|
||||
platforms:
|
||||
- name: EL
|
||||
versions:
|
||||
- 7
|
||||
- name: Fedora
|
||||
versions:
|
||||
- 21
|
||||
- 22
|
||||
categories:
|
||||
- cloud
|
||||
- development
|
||||
- packaging
|
||||
dependencies: []
|
||||
|
|
@ -1,15 +0,0 @@
|
|||
---
|
||||
- name: create secrets resource file
|
||||
template:
|
||||
src: openshift-secret.yml.j2
|
||||
dest: "{{ osbs_secret_remote_dir }}/openshift-secret-{{ inventory_hostname }}-{{ osbs_namespace }}-{{ osbs_secret_name }}.yml"
|
||||
mode: "0600"
|
||||
notify:
|
||||
- import osbs secret
|
||||
- delete secret resource file
|
||||
tags:
|
||||
- oc
|
||||
|
||||
- meta: flush_handlers
|
||||
tags:
|
||||
- oc
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ osbs_secret_name }}
|
||||
type: {{ osbs_secret_type }}
|
||||
data:
|
||||
{% for f in osbs_secret_files %}
|
||||
{{ f.dest }}: {{ lookup('file', f.source) | b64encode }}
|
||||
{% endfor %}
|
||||
|
||||
Loading…
Add table
Add a link
Reference in a new issue