From d679998a0a79b44960fdd7ce5a090a06823b7c20 Mon Sep 17 00:00:00 2001 From: Clement Verna Date: Wed, 4 Jul 2018 08:58:01 +0200 Subject: [PATCH] Setup OSBS orchestrated cluster in prod Signed-off-by: Clement Verna --- files/osbs/buildroot-Dockerfile-production.j2 | 4 +- files/osbs/buildroot-Dockerfile-staging.j2 | 2 +- inventory/group_vars/osbs-masters | 131 +++++++++ inventory/group_vars/osbs-masters-stg | 12 +- .../osbs-master01.phx2.fedoraproject.org | 4 +- .../osbs-node01.phx2.fedoraproject.org | 4 +- .../osbs-node02.phx2.fedoraproject.org | 4 +- playbooks/groups/buildvm.yml | 19 +- playbooks/groups/osbs-cluster.yml | 270 +++--------------- roles/osbs-client/tasks/main.yml | 33 +-- tasks/osbs_koji_token.yml | 5 +- 11 files changed, 197 insertions(+), 291 deletions(-) diff --git a/files/osbs/buildroot-Dockerfile-production.j2 b/files/osbs/buildroot-Dockerfile-production.j2 index 9d7f66d764..b577681fc4 100644 --- a/files/osbs/buildroot-Dockerfile-production.j2 +++ b/files/osbs/buildroot-Dockerfile-production.j2 @@ -1,8 +1,10 @@ -FROM registry.fedoraproject.org/fedora:27 +FROM registry.fedoraproject.org/fedora ADD ./infra-tags.repo /etc/yum.repos.d/infra-tags.repo RUN dnf -y install --refresh dnf-plugins-core && dnf -y install docker git python-setuptools e2fsprogs koji python-backports-lzma osbs-client\ python-osbs-client gssproxy fedpkg python-docker-squash atomic-reactor python-atomic-reactor* go-md2man python2-productmd python3-productmd\ libmodulemd python2-gobject python3-gobject python2-modulemd python3-modulemd python2-pdc-client python3-pdc-client ostree flatpak skopeo +ADD ./orchestrator_customize.json /usr/share/osbs/orchestrator_customize.json +ADD ./worker_customize.json /usr/share/osbs/worker_customize.json ADD ./krb5.conf /etc RUN printf '[libdefaults]\n default_ccache_name = DIR:/tmp/ccache_%%{uid}' >/etc/krb5.conf.d/ccache.conf ADD ./krb5.osbs_{{osbs_url}}.keytab /etc/ diff --git a/files/osbs/buildroot-Dockerfile-staging.j2 b/files/osbs/buildroot-Dockerfile-staging.j2 index 2700fa1074..b577681fc4 100644 --- a/files/osbs/buildroot-Dockerfile-staging.j2 +++ b/files/osbs/buildroot-Dockerfile-staging.j2 @@ -1,4 +1,4 @@ -FROM registry.fedoraproject.org/fedora:27 +FROM registry.fedoraproject.org/fedora ADD ./infra-tags.repo /etc/yum.repos.d/infra-tags.repo RUN dnf -y install --refresh dnf-plugins-core && dnf -y install docker git python-setuptools e2fsprogs koji python-backports-lzma osbs-client\ python-osbs-client gssproxy fedpkg python-docker-squash atomic-reactor python-atomic-reactor* go-md2man python2-productmd python3-productmd\ diff --git a/inventory/group_vars/osbs-masters b/inventory/group_vars/osbs-masters index ea6cc65368..cf8cbcf5bc 100644 --- a/inventory/group_vars/osbs-masters +++ b/inventory/group_vars/osbs-masters @@ -23,8 +23,139 @@ osbs_client_conf_path: /etc/osbs.conf openshift_node_labels: {'region':'infra'} openshift_schedulable: False +osbs_namespace: "osbs-fedora" +osbs_worker_namespace: worker + +osbs_worker_service_accounts: + - orchestrator + - builder + + +osbs_conf_sources_command: fedpkg sources +osbs_conf_vendor: Fedora Project + +osbs_orchestrator_cpu_limitrange: "95m" + +osbs_worker_default_nodeselector: "worker=true" +osbs_orchestrator_default_nodeselector: "orchestrator=true" + +osbs_conf_service_accounts: + - koji + - builder + +osbs_conf_readwrite_users: + - "system:serviceaccount:{{ osbs_namespace }}:default" + - "system:serviceaccount:{{ osbs_namespace }}:builder" + +osbs_conf_worker_clusters: + x86_64: + - name: x86_64 + max_concurrent_builds: 2 + openshift_url: "https://osbs.fedoraproject.org/" + verify_ssl: 'false' + + +osbs_platform_descriptors: +- platform: x86_64 + architecture: amd64 + enable_v1: True + +_osbs_reactor_config_map: + version: 1 + + clusters: + x86_64: + - name: "x86_64" + max_concurrent_builds: 2 + + clusters_client_config_dir: "/var/run/secrets/atomic-reactor/client-config-secret" + + koji: + hub_url: "https://koji{{ env_suffix }}.fedoraproject.org/kojihub" + root_url: "https://koji{{ env_suffix }}.fedoraproject.org/" + auth: + krb_principal: "osbs/{{osbs_url}}@{{ ipa_realm }}" + krb_keytab_path: "FILE:/etc/krb5.osbs_{{ osbs_url }}.keytab" + + odcs: + api_url: "https://odcs{{ env_suffix }}.fedoraproject.org/api/1" + auth: + openidc_dir: "/var/run/secrets/atomic-reactor/odcs-oidc-secret" + signing_intents: + - name: unsigned + keys: [] + default_signing_intent: "unsigned" + + pdc: + api_url: "https://pdc{{ env_suffix }}.fedoraproject.org/rest_api/v1/" + + image_labels: + vendor: "{{ osbs_conf_vendor }}" + authoritative-source-url: "{{ source_registry }}" + distribution-scope: public + + image_equal_labels: + - ['description', 'io.k8s.description'] + openshift: + url: "https://{{ osbs_url }}" + insecure: true + build_json_dir: /usr/share/osbs + auth: + enable: True + + platform_descriptors: "{{ osbs_platform_descriptors }}" + + prefer_schema1_digest: False + + content_versions: + - v1 + - v2 + + registries: + - url: "{{ docker_registry }}" + insecure: True + auth: + cfg_path: /var/run/secrets/atomic-reactor/v2-registry-dockercfg + + source_registry: + url: "{{ source_registry }}" + insecure: True + + group_manifests: True + + sources_command: "{{ osbs_conf_sources_command }}" + + artifacts_allowed_domains: [] + #- download.devel.redhat.com/released + #- download.devel.redhat.com/devel/candidates + + required_secrets: + - kojisecret + - v2-registry-dockercfg + - odcs-oidc-secret + + worker_token_secrets: + - x86-64-orchestrator + - client-config-secret + +_osbs_scratch_reactor_config_map_overrides: + image_labels: + distribution-scope: private + +osbs_reactor_config_maps: +- name: reactor-config-map + data: "{{ _osbs_reactor_config_map }}" +- name: reactor-config-map-scratch + data: > + {{ _osbs_reactor_config_map | + combine(_osbs_scratch_reactor_config_map_overrides, recursive=True) }} + +osbs_odcs_enabled: true + +#Docker command delegated host composer: compose-x86-01.phx2.fedoraproject.org +# Nagios configuration nagios_Check_Services: nrpe: true sshd: true diff --git a/inventory/group_vars/osbs-masters-stg b/inventory/group_vars/osbs-masters-stg index f9490e2bee..5cc543bfa9 100644 --- a/inventory/group_vars/osbs-masters-stg +++ b/inventory/group_vars/osbs-masters-stg @@ -45,7 +45,7 @@ osbs_conf_readwrite_users: osbs_conf_worker_clusters: x86_64: - - name: x86_64-stg + - name: x86_64 max_concurrent_builds: 2 openshift_url: "https://osbs.stg.fedoraproject.org/" verify_ssl: 'false' @@ -61,14 +61,14 @@ _osbs_reactor_config_map: clusters: x86_64: - - name: "x86_64-stg" + - name: "x86_64" max_concurrent_builds: 2 clusters_client_config_dir: "/var/run/secrets/atomic-reactor/client-config-secret" koji: - hub_url: "https://koji.stg.fedoraproject.org/kojihub" - root_url: "https://koji.stg.fedoraproject.org/" + hub_url: "https://koji{{ env_suffix }}.fedoraproject.org/kojihub" + root_url: "https://koji{{ env_suffix }}.fedoraproject.org/" auth: krb_principal: "osbs/{{osbs_url}}@{{ ipa_realm }}" krb_keytab_path: "FILE:/etc/krb5.osbs_{{ osbs_url }}.keytab" @@ -83,7 +83,7 @@ _osbs_reactor_config_map: default_signing_intent: "unsigned" pdc: - api_url: "https://pdc.stg.fedoraproject.org/rest_api/v1/" + api_url: "https://pdc{{ env_suffix }}.fedoraproject.org/rest_api/v1/" image_labels: vendor: "{{ osbs_conf_vendor }}" @@ -131,7 +131,7 @@ _osbs_reactor_config_map: - odcs-oidc-secret worker_token_secrets: - - x86-64-stg-orchestrator + - x86-64-orchestrator - client-config-secret _osbs_scratch_reactor_config_map_overrides: diff --git a/inventory/host_vars/osbs-master01.phx2.fedoraproject.org b/inventory/host_vars/osbs-master01.phx2.fedoraproject.org index 47d90cae97..647ae2d61d 100644 --- a/inventory/host_vars/osbs-master01.phx2.fedoraproject.org +++ b/inventory/host_vars/osbs-master01.phx2.fedoraproject.org @@ -2,8 +2,8 @@ nm: 255.255.255.0 gw: 10.5.125.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26-osbs -ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/ +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28-osbs +ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/ volgroup: /dev/vg_guests eth0_ip: 10.5.125.55 vmhost: bvirthost01.phx2.fedoraproject.org diff --git a/inventory/host_vars/osbs-node01.phx2.fedoraproject.org b/inventory/host_vars/osbs-node01.phx2.fedoraproject.org index 894d2e90a0..a26a25e8d8 100644 --- a/inventory/host_vars/osbs-node01.phx2.fedoraproject.org +++ b/inventory/host_vars/osbs-node01.phx2.fedoraproject.org @@ -2,8 +2,8 @@ nm: 255.255.255.0 gw: 10.5.125.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26-osbs -ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/ +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28-osbs +ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/ volgroup: /dev/vg_guests eth0_ip: 10.5.125.53 vmhost: bvirthost01.phx2.fedoraproject.org diff --git a/inventory/host_vars/osbs-node02.phx2.fedoraproject.org b/inventory/host_vars/osbs-node02.phx2.fedoraproject.org index 88c8936c5f..6a2e756d55 100644 --- a/inventory/host_vars/osbs-node02.phx2.fedoraproject.org +++ b/inventory/host_vars/osbs-node02.phx2.fedoraproject.org @@ -2,8 +2,8 @@ nm: 255.255.255.0 gw: 10.5.125.254 dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26-osbs -ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/ +ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28-osbs +ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/ volgroup: /dev/vg_guests eth0_ip: 10.5.125.54 vmhost: bvirthost01.phx2.fedoraproject.org diff --git a/playbooks/groups/buildvm.yml b/playbooks/groups/buildvm.yml index 9c5cd9abbb..2ca8a7a645 100644 --- a/playbooks/groups/buildvm.yml +++ b/playbooks/groups/buildvm.yml @@ -111,8 +111,8 @@ client_config_secret: 'client-config-secret', reactor_config_secret: 'reactor-config-secret', registry_secret_name: 'v2-registry-dockercfg', - token_secrets: 'x86-64-osbs:/var/run/secrets/atomic-reactor/x86-64-stg-orchestrator', - token_file: '/etc/osbs/x86-64-osbs-stg-koji', + token_secrets: 'x86-64-osbs:/var/run/secrets/atomic-reactor/x86-64-orchestrator', + token_file: '/etc/osbs/x86-64-osbs-koji', namespace: 'osbs-fedora', can_orchestrate: true, builder_odcs_url: "https://odcs{{ env_suffix }}.fedoraproject.org", @@ -129,7 +129,7 @@ when: env == 'production' and ansible_architecture == 'x86_64', general: { verbose: 0, - build_json_dir: '/etc/osbs/input/', + build_json_dir: '/usr/share/osbs/', openshift_required_version: 1.1.0, }, default: { @@ -154,7 +154,18 @@ distribution_scope: 'private', registry_api_versions: 'v2', builder_openshift_url: 'https://{{osbs_url}}', - registry_secret_name: 'v2-registry-dockercfg' + registry_secret_name: 'v2-registry-dockercfg', + token_secrets: 'x86-64-osbs:/var/run/secrets/atomic-reactor/x86-64-orchestrator', + token_file: '/etc/osbs/x86-64-osbs-koji', + namespace: 'osbs-fedora', + can_orchestrate: true, + builder_odcs_url: "https://odcs{{ env_suffix }}.fedoraproject.org", + builder_odcs_openidc_secret: "odcs-oidc-secret", + builder_pdc_url: "https://pdc.fedoraproject.org/api/1", + flatpak_base_image: "registry.fedoraproject.org/fedora:latest", + reactor_config_map: "reactor-config-map", + reactor_config_map_scratch: "reactor-config-map-scratch", + build_from: "image:buildroot:latest" } } handlers: diff --git a/playbooks/groups/osbs-cluster.yml b/playbooks/groups/osbs-cluster.yml index 42f975cabf..8fbe2357c4 100644 --- a/playbooks/groups/osbs-cluster.yml +++ b/playbooks/groups/osbs-cluster.yml @@ -234,10 +234,11 @@ cluster_inventory_filename: "cluster-inventory", openshift_htpasswd_file: "/etc/origin/htpasswd", openshift_master_public_api_url: "https://{{ osbs_url }}:8443", - openshift_release: "v3.6.0", + openshift_release: "v3.9.0", openshift_ansible_path: "/root/openshift-ansible", - openshift_ansible_playbook: "playbooks/byo/config.yml", - openshift_ansible_version: "release-3.6-fedora-compat", + openshift_ansible_pre_playbook: "playbooks/prerequisites.yml", + openshift_ansible_playbook: "playbooks/deploy_cluster.yml", + openshift_ansible_version: "openshift-ansible-3.9.30-1", openshift_ansible_ssh_user: root, openshift_ansible_install_examples: false, openshift_ansible_containerized_deploy: false, @@ -319,86 +320,8 @@ src: "{{files}}/osbs/fedora-dnsmasq.conf.{{env}}" dest: "/etc/dnsmasq.d/fedora-dns.conf" -- name: Setup requirements for OpenShift master - hosts: osbs-masters-stg:osbs-masters - tags: - - osbs-master-req - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - tasks: - - name: set policy for koji builder in openshift for osbs - command: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_prod_username }} && touch /etc/origin/koji-builder-policy-added" - args: - creates: "/etc/origin/koji-builder-policy-added" - when: env == "production" - - - name: set policy for koji builder in openshift for atomic-reactor - command: "oadm policy add-role-to-user -n default edit system:serviceaccount:default:builder && touch /etc/origin/atomic-reactor-policy-added" - args: - creates: "/etc/origin/atomic-reactor-policy-added" - when: env == "production" - -- name: Deploy OSBS on top of OpenShift - hosts: osbs-masters-stg[0]:osbs-masters[0] - tags: - - osbs-deploy-on-openshift - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - vars: - osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig - osbs_environment: - KUBECONFIG: "{{ osbs_kubeconfig_path }}" - - roles: - - { - role: osbs-on-openshift, - osbs_openshift_home: "/var/lib/origin", - osbs_namespace: "default", - osbs_namespace_create: "false", - osbs_kubeconf_path: "/etc/origin/master/admin.kubeconfig", - osbs_environment: [ - KUBECONFIG: "{{ osbs_kubeconfig_path }}" - ], - osbs_service_accounts: [], - osbs_readonly_users: [], - osbs_readonly_groups: [], - osbs_readwrite_users: ["{{ osbs_koji_prod_username }}"], - osbs_readwrite_groups: [ "system:authenticated"], - osbs_admin_users: [], - osbs_admin_groups: [], - osbs_docker_registry: false, - osbs_docker_registry_storage: "/opt/openshift-registry", - when: env == "production" - } - - tasks: - - name: set custom build policy for koji builder in openshift for osbs - command: "oc adm policy add-role-to-user -n default osbs-custom-build {{ osbs_koji_prod_username }} --role-namespace=default && touch /etc/origin/koji-custom-build-policy-added" - args: - creates: "/etc/origin/koji-builder-policy-added" - when: env == "production" - environment: "{{ osbs_environment }}" - - name: set custom build policy for builder service account in openshift for osbs - command: "oc adm policy add-role-to-user -n default osbs-custom-build system:serviceaccount:default:builder --role-namespace=default && touch /etc/origin/koji-builder-policy-added" - args: - creates: "/etc/origin/koji-builder-policy-added" - when: env == "production" - environment: "{{ osbs_environment }}" - - name: Create worker namespace - hosts: osbs-masters-stg[0] + hosts: osbs-masters-stg[0]:osbs-masters[0] tags: - osbs-worker-namespace user: root @@ -420,10 +343,10 @@ osbs_authoritative_registry: "{{ source_registry }}" osbs_sources_command: "{{ osbs_conf_sources_command }}" osbs_vendor: "{{ osbs_conf_vendor }}" - when: env == "staging" + - name: setup koji secret in worker namespace - hosts: osbs-masters-stg[0] + hosts: osbs-masters-stg[0]:osbs-masters[0] vars_files: - /srv/web/infra/ansible/vars/global.yml - "/srv/private/ansible/vars.yml" @@ -437,10 +360,9 @@ osbs_secret_files: - source: "{{ private }}/files/koji/containerbuild.pem" dest: cert - when: env == "staging" - name: setup ODCS secret in worker namespace - hosts: osbs-masters-stg[0] + hosts: osbs-masters-stg[0]:osbs-masters[0] vars_files: - /srv/web/infra/ansible/vars/global.yml - "/srv/private/ansible/vars.yml" @@ -450,14 +372,13 @@ osbs_namespace: "{{ osbs_worker_namespace }}" osbs_secret_name: odcs-oidc-secret osbs_secret_files: - - source: "{{ private }}/files/osbs/staging/odcs-oidc-token" + - source: "{{ private }}/files/osbs/{{ env }}/odcs-oidc-token" dest: token - when: env == "staging" tags: - osbs-worker-namespace - name: Create orchestrator namespace - hosts: osbs-masters-stg[0] + hosts: osbs-masters-stg[0]:osbs-masters[0] roles: - role: osbs-namespace osbs_orchestrator: true @@ -474,38 +395,48 @@ koji_use_kerberos: true koji_kerberos_keytab: "FILE:/etc/krb5.osbs_{{ osbs_url }}.keytab" koji_kerberos_principal: "osbs/{{osbs_url}}@{{ ipa_realm }}" - when: env == "staging" tags: - osbs-orchestrator-namespace - name: Add the worker/orchestrator labels to the nodes - hosts: osbs-masters-stg[0] + hosts: osbs-masters-stg[0]:osbs-masters[0] tags: - osbs-labels-nodes tasks: - name: Add the worker label command: "oc -n {{ osbs_worker_namespace }} label nodes {{ item }} worker=true --overwrite" loop: "{{ groups['osbs-nodes-stg'] }}" + when: env == "staging" - name: Add the orchestrator labels to the nodes command: "oc -n {{ osbs_namespace }} label nodes {{ item }} orchestrator=true --overwrite" loop: "{{ groups['osbs-nodes-stg'] }}" + when: env == "staging" + + - name: Add the worker label + command: "oc -n {{ osbs_worker_namespace }} label nodes {{ item }} worker=true --overwrite" + loop: "{{ groups['osbs-nodes'] }}" + when: env == "production" + + - name: Add the orchestrator labels to the nodes + command: "oc -n {{ osbs_namespace }} label nodes {{ item }} orchestrator=true --overwrite" + loop: "{{ groups['osbs-nodes'] }}" + when: env == "production" - name: setup reactor config secret in orchestrator namespace - hosts: osbs-masters-stg[0] + hosts: osbs-masters-stg[0]:osbs-masters[0] roles: - role: osbs-secret osbs_secret_name: reactor-config-secret osbs_secret_files: - source: "/tmp/{{ osbs_namespace }}-reactor-config-secret.yml" dest: config.yaml - when: env == "staging" tags: - osbs-orchestrator-namespace - name: setup ODCS secret in orchestrator namespace - hosts: osbs-masters-stg[0] + hosts: osbs-masters-stg[0]:osbs-masters[0] vars_files: - /srv/web/infra/ansible/vars/global.yml - "/srv/private/ansible/vars.yml" @@ -514,26 +445,24 @@ - role: osbs-secret osbs_secret_name: odcs-oidc-secret osbs_secret_files: - - source: "{{ private }}/files/osbs/staging/odcs-oidc-token" + - source: "{{ private }}/files/osbs/{{ env }}/odcs-oidc-token" dest: token - when: env == "staging" tags: - osbs-orchestrator-namespace - name: setup client config secret in orchestrator namespace - hosts: osbs-masters-stg[0] + hosts: osbs-masters-stg[0]:osbs-masters[0] roles: - role: osbs-secret osbs_secret_name: client-config-secret osbs_secret_files: - source: "/tmp/{{ osbs_namespace }}-client-config-secret.conf" dest: osbs.conf - when: env == "staging" tags: - osbs-orchestrator-namespace - name: setup koji secret in orchestrator namespace - hosts: osbs-masters-stg[0] + hosts: osbs-masters-stg[0]:osbs-masters[0] vars_files: - /srv/web/infra/ansible/vars/global.yml - "/srv/private/ansible/vars.yml" @@ -544,23 +473,21 @@ osbs_secret_files: - source: "{{ private }}/files/koji/containerbuild.pem" dest: cert - when: env == "staging" tags: - osbs-orchestrator-namespace - name: setup orchestrator token for x86_64-osbs - hosts: osbs-masters-stg[0] + hosts: osbs-masters-stg[0]:osbs-masters[0] vars_files: - /srv/web/infra/ansible/vars/global.yml - "/srv/private/ansible/vars.yml" - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml roles: - role: osbs-secret - osbs_secret_name: x86-64-stg-orchestrator + osbs_secret_name: x86-64-orchestrator osbs_secret_files: - - source: "{{ private }}/files/osbs/staging/x86-64-osbs-stg-orchestrator" + - source: "{{ private }}/files/osbs/{{ env }}/x86-64-osbs-orchestrator" dest: token - when: env == "staging" tags: - osbs-orchestrator-namespace @@ -633,7 +560,6 @@ osbs_secret_files: - source: "/tmp/.dockercfg" dest: .dockercfg - when: env == "staging" post_tasks: - name: Delete the temporary secret file @@ -642,80 +568,6 @@ state=absent path="/tmp/.dockercfg" -- name: Manage docker images and image stream - hosts: osbs-masters[0] - tags: - - osbs-post-install - - manage-docker-images - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - /srv/private/ansible/vars.yml - - /srv/private/ansible/files/openstack/passwords.yml - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - vars: - osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig - osbs_environment: - KUBECONFIG: "{{ osbs_kubeconfig_path }}" - koji_pki_dir: /etc/pki/koji - koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert" - koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem" - koji_builder_user: dockerbuilder - osbs_builder_user: builder - - tasks: - - name: pull fedora required docker images - command: "docker pull {{item}}" - with_items: "{{fedora_required_images}}" - delegate_to: "{{ composer }}" - register: docker_pull_fedora_delegated - changed_when: "'Downloaded newer image' in docker_pull_fedora_delegated.stdout" - - - name: tag fedora required docker images for our registry - command: "docker tag {{item}} {{docker_registry}}/{{item}}" - with_items: "{{fedora_required_images}}" - delegate_to: "{{ composer }}" - when: docker_pull_fedora_delegated is changed - - - name: push fedora required docker images to our registry - command: "docker push {{docker_registry}}/{{item}}" - with_items: "{{fedora_required_images}}" - delegate_to: "{{ composer }}" - when: docker_pull_fedora_delegated is changed - - - name: register origin_version_out rpm query - command: "rpm -q origin --qf '%{Version}'" - register: origin_version_out - check_mode: no - changed_when: False - - - set_fact: - origin_version: "{{origin_version_out.stdout}}" - - - name: pull openshift required docker images - command: "docker pull {{item}}:v{{origin_version}}" - with_items: "{{openshift_required_images}}" - delegate_to: "{{ composer }}" - register: docker_pull_openshift_delegated - changed_when: "'Downloaded newer image' in docker_pull_openshift_delegated.stdout" - - - name: tag openshift required docker images for our registry - command: "docker tag {{item}}:v{{origin_version}} {{docker_registry}}/{{item}}:v{{origin_version}}" - with_items: "{{openshift_required_images}}" - delegate_to: "{{ composer }}" - when: docker_pull_openshift_delegated is changed - - - name: push openshift required docker images to our registry - command: "docker push {{docker_registry}}/{{item}}:v{{origin_version}}" - with_items: "{{openshift_required_images}}" - delegate_to: "{{ composer }}" - when: docker_pull_openshift_delegated is changed - - - name: create fedora image stream for OpenShift - command: "echo '{ \"apiVersion\": \"v1\", \"kind\": \"ImageStream\", \"metadata\": { \"name\": \"fedora\" }, \"spec\": { \"dockerImageRepository\": \"{{docker_registry}}/fedora\" } }' | oc create -f - && touch /etc/origin/fedoraimagestreamcreated" - environment: "{{ osbs_environment }}" - args: - creates: /etc/origin/fedoraimagestreamcreated - - name: post-install master host osbs tasks hosts: osbs-masters-stg:osbs-masters tags: @@ -786,7 +638,7 @@ - name: post-install osbs tasks - hosts: osbs-nodes-stg:osbs-masters:osbs-nodes + hosts: osbs-nodes-stg:osbs-nodes tags: - osbs-post-install vars_files: @@ -823,40 +675,6 @@ state: restarted daemon_reload: yes - roles: - - { - role: osbs-client, - general: { - verbose: 0, - build_json_dir: '/etc/osbs/input/', - openshift_required_version: 1.1.0, - }, - default: { - username: "{{ osbs_koji_prod_username }}", - password: "{{ osbs_koji_prod_password }}", - koji_use_kerberos: True, - koji_kerberos_keytab: "FILE:/etc/krb5.osbs_{{osbs_url}}.keytab", - koji_kerberos_principal: "osbs/{{osbs_url}}@{{ipa_realm}}", - openshift_url: 'https://{{osbs_url}}/', - registry_uri: 'https://{{docker_registry}}/v2', - source_registry_uri: 'https://{{source_registry}}/v2', - build_host: '{{osbs_url}}', - koji_root: 'https://{{koji_url}}/koji', - koji_hub: 'https://{{koji_url}}/kojihub', - sources_command: 'fedpkg sources', - build_type: 'prod', - authoritative_registry: 'registry.fedoraproject.org', - vendor: 'Fedora Project', - verify_ssl: true, - use_auth: true, - builder_use_auth: true, - distribution_scope: 'private', - registry_api_versions: 'v2', - builder_openshift_url: 'https://{{osbs_url}}' - }, - when: env == "production" - } - tasks: - name: enable nrpe for monitoring (noc01) iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT @@ -990,26 +808,6 @@ check_mode: no changed_when: False - - set_fact: - origin_version: "{{origin_version_out.stdout}}" - - - name: pull openshift required docker images - command: "docker pull {{docker_registry}}/{{item}}:v{{origin_version}}" - with_items: "{{openshift_required_images}}" - register: docker_pull_openshift - changed_when: "'Downloaded newer image' in docker_pull_openshift.stdout" - when: env == "production" - - - name: tag openshift required docker images locally - command: "docker tag {{docker_registry}}/{{item}}:v{{origin_version}} {{item}}:v{{origin_version}}" - with_items: "{{openshift_required_images}}" - when: - - docker_pull_openshift is changed - - env == "production" - - - set_fact: - docker_pull_openshift: "{{ docker_pull_openshift }}" - - name: Post-Install image stream refresh hosts: osbs-masters[0]:osbs-masters-stg[0] @@ -1022,10 +820,6 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml tasks: - - name: refresh fedora image streams - command: "oc import-image fedora --all" - when: env == "production" and hostvars[groups["osbs-masters"][0]]["docker_pull_fedora"] is changed - - name: enable nrpe for monitoring (noc01) iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT diff --git a/roles/osbs-client/tasks/main.yml b/roles/osbs-client/tasks/main.yml index 9de5185741..8dcb80d386 100644 --- a/roles/osbs-client/tasks/main.yml +++ b/roles/osbs-client/tasks/main.yml @@ -9,35 +9,4 @@ - name: apply osbs-client templated config template: src=osbs.conf.j2 dest={{ osbs_client_conf_path }} mode=0640 tags: - - osbs-client - -- name: Create custom OSBS input directory - file: - path: "/etc/osbs/input/" - state: directory - tags: - - osbs-client - when: env == 'production' - -# This overrides defaults which are set in -# https://github.com/projectatomic/osbs-client/blob/master/inputs/prod_inner.json -- name: Upload OSBS Site Customizations plugin conf - copy: - src: "osbs-site-customize.json" - dest: "/etc/osbs/input/prod_customize.json" - mode: 0400 - tags: - - osbs-client - when: env == 'production' - -- name: Symlink in OSBS input configs provided by package - file: - src: "/usr/share/osbs/{{item}}.json" - dest: "/etc/osbs/input/{{item}}.json" - state: link - with_items: - - "prod" - - "prod_inner" - tags: - - osbs-client - when: env == 'production' \ No newline at end of file + - osbs-client \ No newline at end of file diff --git a/tasks/osbs_koji_token.yml b/tasks/osbs_koji_token.yml index b11692da32..f219337a99 100644 --- a/tasks/osbs_koji_token.yml +++ b/tasks/osbs_koji_token.yml @@ -5,8 +5,7 @@ - name: put the koji token file in place copy: - src: "{{ private }}/files/osbs/{{ env }}/x86-64-osbs-stg-koji" - dest: "/etc/osbs/x86-64-osbs-stg-koji" + src: "{{ private }}/files/osbs/{{ env }}/x86-64-osbs-koji" + dest: "/etc/osbs/x86-64-osbs-koji" owner: root mode: 0400 - when: env == "staging"