From a3b31cc39d41cdeea084fb0c9fb72561efabc0df Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Fri, 4 Aug 2017 14:38:39 +0000 Subject: [PATCH] remove osbs-secrets role, it's not doing what we need Signed-off-by: Adam Miller --- inventory/group_vars/osbs-stg | 8 -- .../groups/osbs-orchestrator-cluster.yml | 132 ++++++++++++++---- roles/osbs-secret/README.md | 70 ---------- roles/osbs-secret/defaults/main.yml | 17 --- roles/osbs-secret/handlers/main.yml | 22 --- roles/osbs-secret/meta/main.yml | 21 --- roles/osbs-secret/tasks/main.yml | 15 -- .../templates/openshift-secret.yml.j2 | 10 -- 8 files changed, 107 insertions(+), 188 deletions(-) delete mode 100644 roles/osbs-secret/README.md delete mode 100644 roles/osbs-secret/defaults/main.yml delete mode 100644 roles/osbs-secret/handlers/main.yml delete mode 100644 roles/osbs-secret/meta/main.yml delete mode 100644 roles/osbs-secret/tasks/main.yml delete mode 100644 roles/osbs-secret/templates/openshift-secret.yml.j2 diff --git a/inventory/group_vars/osbs-stg b/inventory/group_vars/osbs-stg index fea77c17d5..6dda9f0f4f 100644 --- a/inventory/group_vars/osbs-stg +++ b/inventory/group_vars/osbs-stg @@ -112,11 +112,3 @@ osbs_nodes: "{{ groups['osbs-orchestrator-' + env + '-nodes'] }}" osbs_orchestrator_default_nodeselector: "orchestrator=true" osbs_worker_default_nodeselector: "worker=true" - -osbs_secret_files_list: -- source: "{{ private }}/groups/osbs-{{ env }}/koji/cert" - dest: cert -- source: "{{ private }}/groups/osbs-{{ env }}/koji/ca" - dest: ca -- source: "{{ private }}/groups/osbs-{{ env }}/koji/serverca" - dest: serverca diff --git a/playbooks/groups/osbs-orchestrator-cluster.yml b/playbooks/groups/osbs-orchestrator-cluster.yml index 5312a828af..d9ec2d6519 100644 --- a/playbooks/groups/osbs-orchestrator-cluster.yml +++ b/playbooks/groups/osbs-orchestrator-cluster.yml @@ -265,15 +265,6 @@ when: env == 'staging' tags: ['openshift-cluster','ansible-ansible-openshift-ansible'] - tasks: - - name: place osbs_secret_files if they do not exist - copy: - src: "{{item.source}}" - dest: "{{item.dest}}" - with_items: "{{ osbs_secret_files_list }}" - tags: - - oc - - name: Setup OSBS requirements for OpenShift cluster hosts hosts: osbs-orchestrators-stg:osbs-workers-stg tags: @@ -379,11 +370,6 @@ osbs_sources_command: "fedpkg sources" osbs_nodeselector: "{{ osbs_orchestrator_default_nodeselector|default('') }}" - - role: osbs-secret - osbs_namespace: "{{ osbs_worker_namespace }}" - osbs_secret_name: "{{ koji_secret_name }}" - osbs_secret_files: "{{ osbs_secret_files_list }}" - - name: setup worker namespace hosts: osbsworker-x86-64-masters-stg[0] tags: @@ -440,17 +426,6 @@ osbs_cpu_limitrange: "{{ os_cpu_limitrange }}" osbs_nodeselector: "{{ osbs_orchestrator_default_nodeselector|default('') }}" - - role: osbs-secret - osbs_namespace: "{{ osbs_worker_namespace }}" - osbs_secret_name: kojisecret - osbs_secret_files: - - source: "{{ private }}/groups/osbs-{{ env }}/koji/cert" - dest: cert - - source: "{{ private }}/groups/osbs-{{ env }}/koji/ca" - dest: ca - - source: "{{ private }}/groups/osbs-{{ env }}/koji/serverca" - dest: serverca - - name: Setup Koji auth for OpenShift Orchestrator hosts: osbs-masters-stg[0]:osbsworker-x86-64-masters-stg[0] tags: @@ -476,6 +451,113 @@ args: creates: "/etc/origin/atomic-reactor-policy-added" +- name: post-install orchestrator master host osbs tasks + hosts: osbs-masters-stg[0] + tags: + - osbs-post-install + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - /srv/private/ansible/vars.yml + - /srv/private/ansible/files/openstack/passwords.yml + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + vars: + osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig + osbs_environment: + KUBECONFIG: "{{ osbs_kubeconfig_path }}" + koji_pki_dir: /etc/pki/koji + koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert" + koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem" + koji_builder_user: dockerbuilder + osbs_builder_user: builder + + + handlers: + - name: oc secrets new + shell: "oc secrets new koji cert={{ koji_cert_path }} ca={{ koji_ca_cert_path }} serverca={{ koji_ca_cert_path }} --namespace={{osbs_orchestrator_namespace}}" + environment: "{{ osbs_environment }}" + notify: oc secrets add + + - name: oc secrets add + shell: "oc secrets add serviceaccount/{{ osbs_builder_user }} secrets/koji --for=mount --namespace={{osbs_orchestrator_namespace}}" + environment: "{{ osbs_environment }}" + + tasks: + - name: Ensure koji dockerbuilder cert path exists + file: + path: "{{ koji_pki_dir }}" + state: "directory" + mode: 0400 + + - name: Add koji dockerbuilder cert for Content Generator import + copy: + src: "{{private}}/files/koji/containerbuild.pem" + dest: "{{ koji_cert_path }}" + notify: oc secrets new + + - name: Add koji dockerbuilder ca cert for Content Generator import + copy: + src: "{{private}}/files/koji/buildercerts/fedora-ca.cert" + dest: "{{ koji_ca_cert_path }}" + notify: oc secrets new + + - name: cron entry to clean up old builds + copy: + src: "{{files}}/osbs/cleanup-old-osbs-builds" + dest: "/etc/cron.d/cleanup-old-osbs-builds" + +- name: post-install worker master host osbs tasks + hosts: osbsworker-x86-64-masters-stg[0] + tags: + - osbs-post-install + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - /srv/private/ansible/vars.yml + - /srv/private/ansible/files/openstack/passwords.yml + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + vars: + osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig + osbs_environment: + KUBECONFIG: "{{ osbs_kubeconfig_path }}" + koji_pki_dir: /etc/pki/koji + koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert" + koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem" + koji_builder_user: dockerbuilder + osbs_builder_user: builder + + + handlers: + - name: oc secrets new + shell: "oc secrets new koji cert={{ koji_cert_path }} ca={{ koji_ca_cert_path }} serverca={{ koji_ca_cert_path }} --namespace={{osbs_worker_namespace}}" + environment: "{{ osbs_environment }}" + notify: oc secrets add + + - name: oc secrets add + shell: "oc secrets add serviceaccount/{{ osbs_builder_user }} secrets/koji --for=mount --namespace={{osbs_worker_namespace}}" + environment: "{{ osbs_environment }}" + + tasks: + - name: Ensure koji dockerbuilder cert path exists + file: + path: "{{ koji_pki_dir }}" + state: "directory" + mode: 0400 + + - name: Add koji dockerbuilder cert for Content Generator import + copy: + src: "{{private}}/files/koji/containerbuild.pem" + dest: "{{ koji_cert_path }}" + notify: oc secrets new + + - name: Add koji dockerbuilder ca cert for Content Generator import + copy: + src: "{{private}}/files/koji/buildercerts/fedora-ca.cert" + dest: "{{ koji_ca_cert_path }}" + notify: oc secrets new + + - name: cron entry to clean up old builds + copy: + src: "{{files}}/osbs/cleanup-old-osbs-builds" + dest: "/etc/cron.d/cleanup-old-osbs-builds" - name: Manage docker images and image stream hosts: osbs-masters-stg[0]:osbsworker-x86-64-masters-stg[0] diff --git a/roles/osbs-secret/README.md b/roles/osbs-secret/README.md deleted file mode 100644 index e59fab6a79..0000000000 --- a/roles/osbs-secret/README.md +++ /dev/null @@ -1,70 +0,0 @@ -osbs-secret -=========== - -This role imports various secrets, such as Pulp or Koji certificates, from -filesystem into OpenShift. See the [OSBS -documentation](https://github.com/projectatomic/osbs-client/blob/master/docs/secret.md) -for more information. - -This role is part of -[ansible-osbs](https://github.com/projectatomic/ansible-osbs/) playbook for -deploying OpenShift build service. Please refer to that github repository for -[documentation](https://github.com/projectatomic/ansible-osbs/blob/master/README.md) -and [issue tracker](https://github.com/projectatomic/ansible-osbs/issues). - -Role Variables --------------- - -The role imports the keys from the machine running ansible. You have to provide -`osbs_secret_files` list, which enumerates what files to import. Elements of -the list are dictionaries with two keys: `source` and `dest`. Source is the -location of the file on the machine where ansible is run. Dest is the filename -of the secret. - - osbs_secret_files: - - source: /home/user/.pulp/pulp.cer - dest: pulp.cer - - source: /home/user/.pulp/pulp.key - dest: pulp.key - -The name of the secret in OpenShift is defined by the `osbs_secret_name` -variable. - - osbs_secret_name: pulpsecret - -The secret has to be associated with a service account. This service account -can be set by the `osbs_secret_service_account` variable. - - osbs_secret_service_account: builder - -We need a kubeconfig file on the remote machine in order to talk to OpenShift. -Its location is contained in the `pulp_secret_kubeconfig`. - - osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig - -Example Playbook ----------------- - -Following playbook imports the keys from my home directory on the machine where -ansible is executed. You may need to run something like this after the current -set of keys expires. - - - hosts: builders - roles: - - role: osbs-secret - osbs_secret_name: pulpsecret - osbs_secret_files: - - source: /home/mmilata/.pulp/pulp.cer - dest: pulp.cer - - source: {{ pulp_secret_local_dir }}/pulp.key - dest: pulp.key - -License -------- - -BSD - -Author Information ------------------- - -Martin Milata <mmilata@redhat.com> diff --git a/roles/osbs-secret/defaults/main.yml b/roles/osbs-secret/defaults/main.yml deleted file mode 100644 index 0e317c61fc..0000000000 --- a/roles/osbs-secret/defaults/main.yml +++ /dev/null @@ -1,17 +0,0 @@ ---- -osbs_secret_name: pulpsecret -osbs_secret_type: Opaque -osbs_secret_service_account: builder -osbs_secret_remote_dir: /var/lib/origin -osbs_secret_can_fail: false - -osbs_secret_files: -- source: /home/user/.pulp/pulp.cer - dest: pulp.cer -- source: /home/user/.pulp/pulp.key - dest: pulp.key - -osbs_namespace: default -osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig -osbs_environment: - KUBECONFIG: "{{ osbs_kubeconfig_path }}" diff --git a/roles/osbs-secret/handlers/main.yml b/roles/osbs-secret/handlers/main.yml deleted file mode 100644 index b3c0f8a4fa..0000000000 --- a/roles/osbs-secret/handlers/main.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- -- name: import osbs secret - command: > - oc replace - --namespace={{ osbs_namespace }} - --force=true - --filename={{ osbs_secret_remote_dir }}/openshift-secret-{{ inventory_hostname }}-{{ osbs_namespace }}-{{ osbs_secret_name }}.yml - environment: "{{ osbs_environment }}" - notify: allow service account - -- name: allow service account - command: > - oc secrets - add serviceaccount/{{ osbs_secret_service_account }} secrets/{{ osbs_secret_name }} - --for=mount - --namespace={{ osbs_namespace }} - environment: "{{ osbs_environment }}" - -- name: delete secret resource file - file: - path: "{{ osbs_secret_remote_dir }}/openshift-secret-{{ inventory_hostname }}-{{ osbs_namespace }}-{{ osbs_secret_name }}.yml" - state: absent diff --git a/roles/osbs-secret/meta/main.yml b/roles/osbs-secret/meta/main.yml deleted file mode 100644 index c8d34fb335..0000000000 --- a/roles/osbs-secret/meta/main.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -galaxy_info: - author: Martin Milata - description: Import secrets from local filesystem into OpenShift. - company: Red Hat - issue_tracker_url: https://github.com/projectatomic/ansible-osbs/issues - license: BSD - min_ansible_version: 1.2 - platforms: - - name: EL - versions: - - 7 - - name: Fedora - versions: - - 21 - - 22 - categories: - - cloud - - development - - packaging -dependencies: [] diff --git a/roles/osbs-secret/tasks/main.yml b/roles/osbs-secret/tasks/main.yml deleted file mode 100644 index 72e1065ffe..0000000000 --- a/roles/osbs-secret/tasks/main.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: create secrets resource file - template: - src: openshift-secret.yml.j2 - dest: "{{ osbs_secret_remote_dir }}/openshift-secret-{{ inventory_hostname }}-{{ osbs_namespace }}-{{ osbs_secret_name }}.yml" - mode: "0600" - notify: - - import osbs secret - - delete secret resource file - tags: - - oc - -- meta: flush_handlers - tags: - - oc diff --git a/roles/osbs-secret/templates/openshift-secret.yml.j2 b/roles/osbs-secret/templates/openshift-secret.yml.j2 deleted file mode 100644 index 2b08c05b12..0000000000 --- a/roles/osbs-secret/templates/openshift-secret.yml.j2 +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: {{ osbs_secret_name }} -type: {{ osbs_secret_type }} -data: -{% for f in osbs_secret_files %} - {{ f.dest }}: {{ lookup('file', f.source) | b64encode }} -{% endfor %} -