Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Setup OSBS orchestrated cluster in prod

Browse source 
Signed-off-by: Clement Verna <cverna@tutanota.com>
This commit is contained in:
Clement Verna 2018-07-04 08:58:01 +02:00
parent f719a5b004
commit d679998a0a
11 changed files with 197 additions and 291 deletions
Download patch file Download diff file Expand all files Collapse all files

4
files/osbs/buildroot-Dockerfile-production.j2
View file

@ -1,8 +1,10 @@
FROM registry.fedoraproject.org/fedora:27 FROM registry.fedoraproject.org/fedora
ADD ./infra-tags.repo /etc/yum.repos.d/infra-tags.repo ADD ./infra-tags.repo /etc/yum.repos.d/infra-tags.repo
RUN dnf -y install --refresh dnf-plugins-core && dnf -y install docker git python-setuptools e2fsprogs koji python-backports-lzma osbs-client\ RUN dnf -y install --refresh dnf-plugins-core && dnf -y install docker git python-setuptools e2fsprogs koji python-backports-lzma osbs-client\
python-osbs-client gssproxy fedpkg python-docker-squash atomic-reactor python-atomic-reactor* go-md2man python2-productmd python3-productmd\ python-osbs-client gssproxy fedpkg python-docker-squash atomic-reactor python-atomic-reactor* go-md2man python2-productmd python3-productmd\
libmodulemd python2-gobject python3-gobject python2-modulemd python3-modulemd python2-pdc-client python3-pdc-client ostree flatpak skopeo libmodulemd python2-gobject python3-gobject python2-modulemd python3-modulemd python2-pdc-client python3-pdc-client ostree flatpak skopeo
ADD ./orchestrator_customize.json /usr/share/osbs/orchestrator_customize.json
ADD ./worker_customize.json /usr/share/osbs/worker_customize.json
ADD ./krb5.conf /etc ADD ./krb5.conf /etc
RUN printf '[libdefaults]\n default_ccache_name = DIR:/tmp/ccache_%%{uid}' >/etc/krb5.conf.d/ccache.conf RUN printf '[libdefaults]\n default_ccache_name = DIR:/tmp/ccache_%%{uid}' >/etc/krb5.conf.d/ccache.conf
ADD ./krb5.osbs_{{osbs_url}}.keytab /etc/ ADD ./krb5.osbs_{{osbs_url}}.keytab /etc/

2
files/osbs/buildroot-Dockerfile-staging.j2
View file

@ -1,4 +1,4 @@
FROM registry.fedoraproject.org/fedora:27 FROM registry.fedoraproject.org/fedora
ADD ./infra-tags.repo /etc/yum.repos.d/infra-tags.repo ADD ./infra-tags.repo /etc/yum.repos.d/infra-tags.repo
RUN dnf -y install --refresh dnf-plugins-core && dnf -y install docker git python-setuptools e2fsprogs koji python-backports-lzma osbs-client\ RUN dnf -y install --refresh dnf-plugins-core && dnf -y install docker git python-setuptools e2fsprogs koji python-backports-lzma osbs-client\
python-osbs-client gssproxy fedpkg python-docker-squash atomic-reactor python-atomic-reactor* go-md2man python2-productmd python3-productmd\ python-osbs-client gssproxy fedpkg python-docker-squash atomic-reactor python-atomic-reactor* go-md2man python2-productmd python3-productmd\

131
inventory/group_vars/osbs-masters
View file

@ -23,8 +23,139 @@ osbs_client_conf_path: /etc/osbs.conf
openshift_node_labels: {'region':'infra'} openshift_node_labels: {'region':'infra'}
openshift_schedulable: False openshift_schedulable: False
osbs_namespace: "osbs-fedora"
osbs_worker_namespace: worker
osbs_worker_service_accounts:
- orchestrator
- builder
osbs_conf_sources_command: fedpkg sources
osbs_conf_vendor: Fedora Project
osbs_orchestrator_cpu_limitrange: "95m"
osbs_worker_default_nodeselector: "worker=true"
osbs_orchestrator_default_nodeselector: "orchestrator=true"
osbs_conf_service_accounts:
- koji
- builder
osbs_conf_readwrite_users:
- "system:serviceaccount:{{ osbs_namespace }}:default"
- "system:serviceaccount:{{ osbs_namespace }}:builder"
osbs_conf_worker_clusters:
x86_64:
- name: x86_64
max_concurrent_builds: 2
openshift_url: "https://osbs.fedoraproject.org/"
verify_ssl: 'false'
osbs_platform_descriptors:
- platform: x86_64
architecture: amd64
enable_v1: True
_osbs_reactor_config_map:
version: 1
clusters:
x86_64:
- name: "x86_64"
max_concurrent_builds: 2
clusters_client_config_dir: "/var/run/secrets/atomic-reactor/client-config-secret"
koji:
hub_url: "https://koji{{ env_suffix }}.fedoraproject.org/kojihub"
root_url: "https://koji{{ env_suffix }}.fedoraproject.org/"
auth:
krb_principal: "osbs/{{osbs_url}}@{{ ipa_realm }}"
krb_keytab_path: "FILE:/etc/krb5.osbs_{{ osbs_url }}.keytab"
odcs:
api_url: "https://odcs{{ env_suffix }}.fedoraproject.org/api/1"
auth:
openidc_dir: "/var/run/secrets/atomic-reactor/odcs-oidc-secret"
signing_intents:
- name: unsigned
keys: []
default_signing_intent: "unsigned"
pdc:
api_url: "https://pdc{{ env_suffix }}.fedoraproject.org/rest_api/v1/"
image_labels:
vendor: "{{ osbs_conf_vendor }}"
authoritative-source-url: "{{ source_registry }}"
distribution-scope: public
image_equal_labels:
- ['description', 'io.k8s.description']
openshift:
url: "https://{{ osbs_url }}"
insecure: true
build_json_dir: /usr/share/osbs
auth:
enable: True
platform_descriptors: "{{ osbs_platform_descriptors }}"
prefer_schema1_digest: False
content_versions:
- v1
- v2
registries:
- url: "{{ docker_registry }}"
insecure: True
auth:
cfg_path: /var/run/secrets/atomic-reactor/v2-registry-dockercfg
source_registry:
url: "{{ source_registry }}"
insecure: True
group_manifests: True
sources_command: "{{ osbs_conf_sources_command }}"
artifacts_allowed_domains: []
#- download.devel.redhat.com/released
#- download.devel.redhat.com/devel/candidates
required_secrets:
- kojisecret
- v2-registry-dockercfg
- odcs-oidc-secret
worker_token_secrets:
- x86-64-orchestrator
- client-config-secret
_osbs_scratch_reactor_config_map_overrides:
image_labels:
distribution-scope: private
osbs_reactor_config_maps:
- name: reactor-config-map
data: "{{ _osbs_reactor_config_map }}"
- name: reactor-config-map-scratch
data: >
{{ _osbs_reactor_config_map |
combine(_osbs_scratch_reactor_config_map_overrides, recursive=True) }}
osbs_odcs_enabled: true
#Docker command delegated host
composer: compose-x86-01.phx2.fedoraproject.org composer: compose-x86-01.phx2.fedoraproject.org
# Nagios configuration
nagios_Check_Services: nagios_Check_Services:
nrpe: true nrpe: true
sshd: true sshd: true

12
inventory/group_vars/osbs-masters-stg
View file

@ -45,7 +45,7 @@ osbs_conf_readwrite_users:
osbs_conf_worker_clusters: osbs_conf_worker_clusters:
x86_64: x86_64:
- name: x86_64-stg - name: x86_64
max_concurrent_builds: 2 max_concurrent_builds: 2
openshift_url: "https://osbs.stg.fedoraproject.org/" openshift_url: "https://osbs.stg.fedoraproject.org/"
verify_ssl: 'false' verify_ssl: 'false'
@ -61,14 +61,14 @@ _osbs_reactor_config_map:
clusters: clusters:
x86_64: x86_64:
- name: "x86_64-stg" - name: "x86_64"
max_concurrent_builds: 2 max_concurrent_builds: 2
clusters_client_config_dir: "/var/run/secrets/atomic-reactor/client-config-secret" clusters_client_config_dir: "/var/run/secrets/atomic-reactor/client-config-secret"
koji: koji:
hub_url: "https://koji.stg.fedoraproject.org/kojihub" hub_url: "https://koji{{ env_suffix }}.fedoraproject.org/kojihub"
root_url: "https://koji.stg.fedoraproject.org/" root_url: "https://koji{{ env_suffix }}.fedoraproject.org/"
auth: auth:
krb_principal: "osbs/{{osbs_url}}@{{ ipa_realm }}" krb_principal: "osbs/{{osbs_url}}@{{ ipa_realm }}"
krb_keytab_path: "FILE:/etc/krb5.osbs_{{ osbs_url }}.keytab" krb_keytab_path: "FILE:/etc/krb5.osbs_{{ osbs_url }}.keytab"
@ -83,7 +83,7 @@ _osbs_reactor_config_map:
default_signing_intent: "unsigned" default_signing_intent: "unsigned"
pdc: pdc:
api_url: "https://pdc.stg.fedoraproject.org/rest_api/v1/" api_url: "https://pdc{{ env_suffix }}.fedoraproject.org/rest_api/v1/"
image_labels: image_labels:
vendor: "{{ osbs_conf_vendor }}" vendor: "{{ osbs_conf_vendor }}"
@ -131,7 +131,7 @@ _osbs_reactor_config_map:
- odcs-oidc-secret - odcs-oidc-secret
worker_token_secrets: worker_token_secrets:
- x86-64-stg-orchestrator - x86-64-orchestrator
- client-config-secret - client-config-secret
_osbs_scratch_reactor_config_map_overrides: _osbs_scratch_reactor_config_map_overrides:

4
inventory/host_vars/osbs-master01.phx2.fedoraproject.org
View file

@ -2,8 +2,8 @@
nm: 255.255.255.0 nm: 255.255.255.0
gw: 10.5.125.254 gw: 10.5.125.254
dns: 10.5.126.21 dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26-osbs ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28-osbs
ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/ ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
volgroup: /dev/vg_guests volgroup: /dev/vg_guests
eth0_ip: 10.5.125.55 eth0_ip: 10.5.125.55
vmhost: bvirthost01.phx2.fedoraproject.org vmhost: bvirthost01.phx2.fedoraproject.org

4
inventory/host_vars/osbs-node01.phx2.fedoraproject.org
View file

@ -2,8 +2,8 @@
nm: 255.255.255.0 nm: 255.255.255.0
gw: 10.5.125.254 gw: 10.5.125.254
dns: 10.5.126.21 dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26-osbs ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28-osbs
ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/ ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
volgroup: /dev/vg_guests volgroup: /dev/vg_guests
eth0_ip: 10.5.125.53 eth0_ip: 10.5.125.53
vmhost: bvirthost01.phx2.fedoraproject.org vmhost: bvirthost01.phx2.fedoraproject.org

4
inventory/host_vars/osbs-node02.phx2.fedoraproject.org
View file

@ -2,8 +2,8 @@
nm: 255.255.255.0 nm: 255.255.255.0
gw: 10.5.125.254 gw: 10.5.125.254
dns: 10.5.126.21 dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26-osbs ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28-osbs
ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/ ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
volgroup: /dev/vg_guests volgroup: /dev/vg_guests
eth0_ip: 10.5.125.54 eth0_ip: 10.5.125.54
vmhost: bvirthost01.phx2.fedoraproject.org vmhost: bvirthost01.phx2.fedoraproject.org

19
playbooks/groups/buildvm.yml
View file

@ -111,8 +111,8 @@
client_config_secret: 'client-config-secret', client_config_secret: 'client-config-secret',
reactor_config_secret: 'reactor-config-secret', reactor_config_secret: 'reactor-config-secret',
registry_secret_name: 'v2-registry-dockercfg', registry_secret_name: 'v2-registry-dockercfg',
token_secrets: 'x86-64-osbs:/var/run/secrets/atomic-reactor/x86-64-stg-orchestrator', token_secrets: 'x86-64-osbs:/var/run/secrets/atomic-reactor/x86-64-orchestrator',
token_file: '/etc/osbs/x86-64-osbs-stg-koji', token_file: '/etc/osbs/x86-64-osbs-koji',
namespace: 'osbs-fedora', namespace: 'osbs-fedora',
can_orchestrate: true, can_orchestrate: true,
builder_odcs_url: "https://odcs{{ env_suffix }}.fedoraproject.org", builder_odcs_url: "https://odcs{{ env_suffix }}.fedoraproject.org",
@ -129,7 +129,7 @@
when: env == 'production' and ansible_architecture == 'x86_64', when: env == 'production' and ansible_architecture == 'x86_64',
general: { general: {
verbose: 0, verbose: 0,
build_json_dir: '/etc/osbs/input/', build_json_dir: '/usr/share/osbs/',
openshift_required_version: 1.1.0, openshift_required_version: 1.1.0,
}, },
default: { default: {
@ -154,7 +154,18 @@
distribution_scope: 'private', distribution_scope: 'private',
registry_api_versions: 'v2', registry_api_versions: 'v2',
builder_openshift_url: 'https://{{osbs_url}}', builder_openshift_url: 'https://{{osbs_url}}',
registry_secret_name: 'v2-registry-dockercfg' registry_secret_name: 'v2-registry-dockercfg',
token_secrets: 'x86-64-osbs:/var/run/secrets/atomic-reactor/x86-64-orchestrator',
token_file: '/etc/osbs/x86-64-osbs-koji',
namespace: 'osbs-fedora',
can_orchestrate: true,
builder_odcs_url: "https://odcs{{ env_suffix }}.fedoraproject.org",
builder_odcs_openidc_secret: "odcs-oidc-secret",
builder_pdc_url: "https://pdc.fedoraproject.org/api/1",
flatpak_base_image: "registry.fedoraproject.org/fedora:latest",
reactor_config_map: "reactor-config-map",
reactor_config_map_scratch: "reactor-config-map-scratch",
build_from: "image:buildroot:latest"
} }
} }
handlers: handlers:

270
playbooks/groups/osbs-cluster.yml
View file

@ -234,10 +234,11 @@
cluster_inventory_filename: "cluster-inventory", cluster_inventory_filename: "cluster-inventory",
openshift_htpasswd_file: "/etc/origin/htpasswd", openshift_htpasswd_file: "/etc/origin/htpasswd",
openshift_master_public_api_url: "https://{{ osbs_url }}:8443", openshift_master_public_api_url: "https://{{ osbs_url }}:8443",
openshift_release: "v3.6.0", openshift_release: "v3.9.0",
openshift_ansible_path: "/root/openshift-ansible", openshift_ansible_path: "/root/openshift-ansible",
openshift_ansible_playbook: "playbooks/byo/config.yml", openshift_ansible_pre_playbook: "playbooks/prerequisites.yml",
openshift_ansible_version: "release-3.6-fedora-compat", openshift_ansible_playbook: "playbooks/deploy_cluster.yml",
openshift_ansible_version: "openshift-ansible-3.9.30-1",
openshift_ansible_ssh_user: root, openshift_ansible_ssh_user: root,
openshift_ansible_install_examples: false, openshift_ansible_install_examples: false,
openshift_ansible_containerized_deploy: false, openshift_ansible_containerized_deploy: false,
@ -319,86 +320,8 @@
src: "{{files}}/osbs/fedora-dnsmasq.conf.{{env}}" src: "{{files}}/osbs/fedora-dnsmasq.conf.{{env}}"
dest: "/etc/dnsmasq.d/fedora-dns.conf" dest: "/etc/dnsmasq.d/fedora-dns.conf"
- name: Setup requirements for OpenShift master
hosts: osbs-masters-stg:osbs-masters
tags:
- osbs-master-req
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- name: set policy for koji builder in openshift for osbs
command: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_prod_username }} && touch /etc/origin/koji-builder-policy-added"
args:
creates: "/etc/origin/koji-builder-policy-added"
when: env == "production"
- name: set policy for koji builder in openshift for atomic-reactor
command: "oadm policy add-role-to-user -n default edit system:serviceaccount:default:builder && touch /etc/origin/atomic-reactor-policy-added"
args:
creates: "/etc/origin/atomic-reactor-policy-added"
when: env == "production"
- name: Deploy OSBS on top of OpenShift
hosts: osbs-masters-stg[0]:osbs-masters[0]
tags:
- osbs-deploy-on-openshift
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
vars:
osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
osbs_environment:
KUBECONFIG: "{{ osbs_kubeconfig_path }}"
roles:
- {
role: osbs-on-openshift,
osbs_openshift_home: "/var/lib/origin",
osbs_namespace: "default",
osbs_namespace_create: "false",
osbs_kubeconf_path: "/etc/origin/master/admin.kubeconfig",
osbs_environment: [
KUBECONFIG: "{{ osbs_kubeconfig_path }}"
],
osbs_service_accounts: [],
osbs_readonly_users: [],
osbs_readonly_groups: [],
osbs_readwrite_users: ["{{ osbs_koji_prod_username }}"],
osbs_readwrite_groups: [ "system:authenticated"],
osbs_admin_users: [],
osbs_admin_groups: [],
osbs_docker_registry: false,
osbs_docker_registry_storage: "/opt/openshift-registry",
when: env == "production"
}
tasks:
- name: set custom build policy for koji builder in openshift for osbs
command: "oc adm policy add-role-to-user -n default osbs-custom-build {{ osbs_koji_prod_username }} --role-namespace=default && touch /etc/origin/koji-custom-build-policy-added"
args:
creates: "/etc/origin/koji-builder-policy-added"
when: env == "production"
environment: "{{ osbs_environment }}"
- name: set custom build policy for builder service account in openshift for osbs
command: "oc adm policy add-role-to-user -n default osbs-custom-build system:serviceaccount:default:builder --role-namespace=default && touch /etc/origin/koji-builder-policy-added"
args:
creates: "/etc/origin/koji-builder-policy-added"
when: env == "production"
environment: "{{ osbs_environment }}"
- name: Create worker namespace - name: Create worker namespace
hosts: osbs-masters-stg[0] hosts: osbs-masters-stg[0]:osbs-masters[0]
tags: tags:
- osbs-worker-namespace - osbs-worker-namespace
user: root user: root
@ -420,10 +343,10 @@
osbs_authoritative_registry: "{{ source_registry }}" osbs_authoritative_registry: "{{ source_registry }}"
osbs_sources_command: "{{ osbs_conf_sources_command }}" osbs_sources_command: "{{ osbs_conf_sources_command }}"
osbs_vendor: "{{ osbs_conf_vendor }}" osbs_vendor: "{{ osbs_conf_vendor }}"
when: env == "staging"
- name: setup koji secret in worker namespace - name: setup koji secret in worker namespace
hosts: osbs-masters-stg[0] hosts: osbs-masters-stg[0]:osbs-masters[0]
vars_files: vars_files:
- /srv/web/infra/ansible/vars/global.yml - /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml" - "/srv/private/ansible/vars.yml"
@ -437,10 +360,9 @@
osbs_secret_files: osbs_secret_files:
- source: "{{ private }}/files/koji/containerbuild.pem" - source: "{{ private }}/files/koji/containerbuild.pem"
dest: cert dest: cert
when: env == "staging"
- name: setup ODCS secret in worker namespace - name: setup ODCS secret in worker namespace
hosts: osbs-masters-stg[0] hosts: osbs-masters-stg[0]:osbs-masters[0]
vars_files: vars_files:
- /srv/web/infra/ansible/vars/global.yml - /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml" - "/srv/private/ansible/vars.yml"
@ -450,14 +372,13 @@
osbs_namespace: "{{ osbs_worker_namespace }}" osbs_namespace: "{{ osbs_worker_namespace }}"
osbs_secret_name: odcs-oidc-secret osbs_secret_name: odcs-oidc-secret
osbs_secret_files: osbs_secret_files:
- source: "{{ private }}/files/osbs/staging/odcs-oidc-token" - source: "{{ private }}/files/osbs/{{ env }}/odcs-oidc-token"
dest: token dest: token
when: env == "staging"
tags: tags:
- osbs-worker-namespace - osbs-worker-namespace
- name: Create orchestrator namespace - name: Create orchestrator namespace
hosts: osbs-masters-stg[0] hosts: osbs-masters-stg[0]:osbs-masters[0]
roles: roles:
- role: osbs-namespace - role: osbs-namespace
osbs_orchestrator: true osbs_orchestrator: true
@ -474,38 +395,48 @@
koji_use_kerberos: true koji_use_kerberos: true
koji_kerberos_keytab: "FILE:/etc/krb5.osbs_{{ osbs_url }}.keytab" koji_kerberos_keytab: "FILE:/etc/krb5.osbs_{{ osbs_url }}.keytab"
koji_kerberos_principal: "osbs/{{osbs_url}}@{{ ipa_realm }}" koji_kerberos_principal: "osbs/{{osbs_url}}@{{ ipa_realm }}"
when: env == "staging"
tags: tags:
- osbs-orchestrator-namespace - osbs-orchestrator-namespace
- name: Add the worker/orchestrator labels to the nodes - name: Add the worker/orchestrator labels to the nodes
hosts: osbs-masters-stg[0] hosts: osbs-masters-stg[0]:osbs-masters[0]
tags: tags:
- osbs-labels-nodes - osbs-labels-nodes
tasks: tasks:
- name: Add the worker label - name: Add the worker label
command: "oc -n {{ osbs_worker_namespace }} label nodes {{ item }} worker=true --overwrite" command: "oc -n {{ osbs_worker_namespace }} label nodes {{ item }} worker=true --overwrite"
loop: "{{ groups['osbs-nodes-stg'] }}" loop: "{{ groups['osbs-nodes-stg'] }}"
when: env == "staging"
- name: Add the orchestrator labels to the nodes - name: Add the orchestrator labels to the nodes
command: "oc -n {{ osbs_namespace }} label nodes {{ item }} orchestrator=true --overwrite" command: "oc -n {{ osbs_namespace }} label nodes {{ item }} orchestrator=true --overwrite"
loop: "{{ groups['osbs-nodes-stg'] }}" loop: "{{ groups['osbs-nodes-stg'] }}"
when: env == "staging"
- name: Add the worker label
command: "oc -n {{ osbs_worker_namespace }} label nodes {{ item }} worker=true --overwrite"
loop: "{{ groups['osbs-nodes'] }}"
when: env == "production"
- name: Add the orchestrator labels to the nodes
command: "oc -n {{ osbs_namespace }} label nodes {{ item }} orchestrator=true --overwrite"
loop: "{{ groups['osbs-nodes'] }}"
when: env == "production"
- name: setup reactor config secret in orchestrator namespace - name: setup reactor config secret in orchestrator namespace
hosts: osbs-masters-stg[0] hosts: osbs-masters-stg[0]:osbs-masters[0]
roles: roles:
- role: osbs-secret - role: osbs-secret
osbs_secret_name: reactor-config-secret osbs_secret_name: reactor-config-secret
osbs_secret_files: osbs_secret_files:
- source: "/tmp/{{ osbs_namespace }}-reactor-config-secret.yml" - source: "/tmp/{{ osbs_namespace }}-reactor-config-secret.yml"
dest: config.yaml dest: config.yaml
when: env == "staging"
tags: tags:
- osbs-orchestrator-namespace - osbs-orchestrator-namespace
- name: setup ODCS secret in orchestrator namespace - name: setup ODCS secret in orchestrator namespace
hosts: osbs-masters-stg[0] hosts: osbs-masters-stg[0]:osbs-masters[0]
vars_files: vars_files:
- /srv/web/infra/ansible/vars/global.yml - /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml" - "/srv/private/ansible/vars.yml"
@ -514,26 +445,24 @@
- role: osbs-secret - role: osbs-secret
osbs_secret_name: odcs-oidc-secret osbs_secret_name: odcs-oidc-secret
osbs_secret_files: osbs_secret_files:
- source: "{{ private }}/files/osbs/staging/odcs-oidc-token" - source: "{{ private }}/files/osbs/{{ env }}/odcs-oidc-token"
dest: token dest: token
when: env == "staging"
tags: tags:
- osbs-orchestrator-namespace - osbs-orchestrator-namespace
- name: setup client config secret in orchestrator namespace - name: setup client config secret in orchestrator namespace
hosts: osbs-masters-stg[0] hosts: osbs-masters-stg[0]:osbs-masters[0]
roles: roles:
- role: osbs-secret - role: osbs-secret
osbs_secret_name: client-config-secret osbs_secret_name: client-config-secret
osbs_secret_files: osbs_secret_files:
- source: "/tmp/{{ osbs_namespace }}-client-config-secret.conf" - source: "/tmp/{{ osbs_namespace }}-client-config-secret.conf"
dest: osbs.conf dest: osbs.conf
when: env == "staging"
tags: tags:
- osbs-orchestrator-namespace - osbs-orchestrator-namespace
- name: setup koji secret in orchestrator namespace - name: setup koji secret in orchestrator namespace
hosts: osbs-masters-stg[0] hosts: osbs-masters-stg[0]:osbs-masters[0]
vars_files: vars_files:
- /srv/web/infra/ansible/vars/global.yml - /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml" - "/srv/private/ansible/vars.yml"
@ -544,23 +473,21 @@
osbs_secret_files: osbs_secret_files:
- source: "{{ private }}/files/koji/containerbuild.pem" - source: "{{ private }}/files/koji/containerbuild.pem"
dest: cert dest: cert
when: env == "staging"
tags: tags:
- osbs-orchestrator-namespace - osbs-orchestrator-namespace
- name: setup orchestrator token for x86_64-osbs - name: setup orchestrator token for x86_64-osbs
hosts: osbs-masters-stg[0] hosts: osbs-masters-stg[0]:osbs-masters[0]
vars_files: vars_files:
- /srv/web/infra/ansible/vars/global.yml - /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml" - "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles: roles:
- role: osbs-secret - role: osbs-secret
osbs_secret_name: x86-64-stg-orchestrator osbs_secret_name: x86-64-orchestrator
osbs_secret_files: osbs_secret_files:
- source: "{{ private }}/files/osbs/staging/x86-64-osbs-stg-orchestrator" - source: "{{ private }}/files/osbs/{{ env }}/x86-64-osbs-orchestrator"
dest: token dest: token
when: env == "staging"
tags: tags:
- osbs-orchestrator-namespace - osbs-orchestrator-namespace
@ -633,7 +560,6 @@
osbs_secret_files: osbs_secret_files:
- source: "/tmp/.dockercfg" - source: "/tmp/.dockercfg"
dest: .dockercfg dest: .dockercfg
when: env == "staging"
post_tasks: post_tasks:
- name: Delete the temporary secret file - name: Delete the temporary secret file
@ -642,80 +568,6 @@
state=absent state=absent
path="/tmp/.dockercfg" path="/tmp/.dockercfg"
- name: Manage docker images and image stream
hosts: osbs-masters[0]
tags:
- osbs-post-install
- manage-docker-images
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/private/ansible/files/openstack/passwords.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
vars:
osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
osbs_environment:
KUBECONFIG: "{{ osbs_kubeconfig_path }}"
koji_pki_dir: /etc/pki/koji
koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert"
koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem"
koji_builder_user: dockerbuilder
osbs_builder_user: builder
tasks:
- name: pull fedora required docker images
command: "docker pull {{item}}"
with_items: "{{fedora_required_images}}"
delegate_to: "{{ composer }}"
register: docker_pull_fedora_delegated
changed_when: "'Downloaded newer image' in docker_pull_fedora_delegated.stdout"
- name: tag fedora required docker images for our registry
command: "docker tag {{item}} {{docker_registry}}/{{item}}"
with_items: "{{fedora_required_images}}"
delegate_to: "{{ composer }}"
when: docker_pull_fedora_delegated is changed
- name: push fedora required docker images to our registry
command: "docker push {{docker_registry}}/{{item}}"
with_items: "{{fedora_required_images}}"
delegate_to: "{{ composer }}"
when: docker_pull_fedora_delegated is changed
- name: register origin_version_out rpm query
command: "rpm -q origin --qf '%{Version}'"
register: origin_version_out
check_mode: no
changed_when: False
- set_fact:
origin_version: "{{origin_version_out.stdout}}"
- name: pull openshift required docker images
command: "docker pull {{item}}:v{{origin_version}}"
with_items: "{{openshift_required_images}}"
delegate_to: "{{ composer }}"
register: docker_pull_openshift_delegated
changed_when: "'Downloaded newer image' in docker_pull_openshift_delegated.stdout"
- name: tag openshift required docker images for our registry
command: "docker tag {{item}}:v{{origin_version}} {{docker_registry}}/{{item}}:v{{origin_version}}"
with_items: "{{openshift_required_images}}"
delegate_to: "{{ composer }}"
when: docker_pull_openshift_delegated is changed
- name: push openshift required docker images to our registry
command: "docker push {{docker_registry}}/{{item}}:v{{origin_version}}"
with_items: "{{openshift_required_images}}"
delegate_to: "{{ composer }}"
when: docker_pull_openshift_delegated is changed
- name: create fedora image stream for OpenShift
command: "echo '{ \"apiVersion\": \"v1\", \"kind\": \"ImageStream\", \"metadata\": { \"name\": \"fedora\" }, \"spec\": { \"dockerImageRepository\": \"{{docker_registry}}/fedora\" } }' | oc create -f - && touch /etc/origin/fedoraimagestreamcreated"
environment: "{{ osbs_environment }}"
args:
creates: /etc/origin/fedoraimagestreamcreated
- name: post-install master host osbs tasks - name: post-install master host osbs tasks
hosts: osbs-masters-stg:osbs-masters hosts: osbs-masters-stg:osbs-masters
tags: tags:
@ -786,7 +638,7 @@
- name: post-install osbs tasks - name: post-install osbs tasks
hosts: osbs-nodes-stg:osbs-masters:osbs-nodes hosts: osbs-nodes-stg:osbs-nodes
tags: tags:
- osbs-post-install - osbs-post-install
vars_files: vars_files:
@ -823,40 +675,6 @@
state: restarted state: restarted
daemon_reload: yes daemon_reload: yes
roles:
- {
role: osbs-client,
general: {
verbose: 0,
build_json_dir: '/etc/osbs/input/',
openshift_required_version: 1.1.0,
},
default: {
username: "{{ osbs_koji_prod_username }}",
password: "{{ osbs_koji_prod_password }}",
koji_use_kerberos: True,
koji_kerberos_keytab: "FILE:/etc/krb5.osbs_{{osbs_url}}.keytab",
koji_kerberos_principal: "osbs/{{osbs_url}}@{{ipa_realm}}",
openshift_url: 'https://{{osbs_url}}/',
registry_uri: 'https://{{docker_registry}}/v2',
source_registry_uri: 'https://{{source_registry}}/v2',
build_host: '{{osbs_url}}',
koji_root: 'https://{{koji_url}}/koji',
koji_hub: 'https://{{koji_url}}/kojihub',
sources_command: 'fedpkg sources',
build_type: 'prod',
authoritative_registry: 'registry.fedoraproject.org',
vendor: 'Fedora Project',
verify_ssl: true,
use_auth: true,
builder_use_auth: true,
distribution_scope: 'private',
registry_api_versions: 'v2',
builder_openshift_url: 'https://{{osbs_url}}'
},
when: env == "production"
}
tasks: tasks:
- name: enable nrpe for monitoring (noc01) - name: enable nrpe for monitoring (noc01)
iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT
@ -990,26 +808,6 @@
check_mode: no check_mode: no
changed_when: False changed_when: False
- set_fact:
origin_version: "{{origin_version_out.stdout}}"
- name: pull openshift required docker images
command: "docker pull {{docker_registry}}/{{item}}:v{{origin_version}}"
with_items: "{{openshift_required_images}}"
register: docker_pull_openshift
changed_when: "'Downloaded newer image' in docker_pull_openshift.stdout"
when: env == "production"
- name: tag openshift required docker images locally
command: "docker tag {{docker_registry}}/{{item}}:v{{origin_version}} {{item}}:v{{origin_version}}"
with_items: "{{openshift_required_images}}"
when:
- docker_pull_openshift is changed
- env == "production"
- set_fact:
docker_pull_openshift: "{{ docker_pull_openshift }}"
- name: Post-Install image stream refresh - name: Post-Install image stream refresh
hosts: osbs-masters[0]:osbs-masters-stg[0] hosts: osbs-masters[0]:osbs-masters-stg[0]
@ -1022,10 +820,6 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks: tasks:
- name: refresh fedora image streams
command: "oc import-image fedora --all"
when: env == "production" and hostvars[groups["osbs-masters"][0]]["docker_pull_fedora"] is changed
- name: enable nrpe for monitoring (noc01) - name: enable nrpe for monitoring (noc01)
iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT

33
roles/osbs-client/tasks/main.yml
View file

@ -9,35 +9,4 @@
- name: apply osbs-client templated config - name: apply osbs-client templated config
template: src=osbs.conf.j2 dest={{ osbs_client_conf_path }} mode=0640 template: src=osbs.conf.j2 dest={{ osbs_client_conf_path }} mode=0640
tags: tags:
- osbs-client - osbs-client
- name: Create custom OSBS input directory
file:
path: "/etc/osbs/input/"
state: directory
tags:
- osbs-client
when: env == 'production'
# This overrides defaults which are set in
# https://github.com/projectatomic/osbs-client/blob/master/inputs/prod_inner.json
- name: Upload OSBS Site Customizations plugin conf
copy:
src: "osbs-site-customize.json"
dest: "/etc/osbs/input/prod_customize.json"
mode: 0400
tags:
- osbs-client
when: env == 'production'
- name: Symlink in OSBS input configs provided by package
file:
src: "/usr/share/osbs/{{item}}.json"
dest: "/etc/osbs/input/{{item}}.json"
state: link
with_items:
- "prod"
- "prod_inner"
tags:
- osbs-client
when: env == 'production'

5
tasks/osbs_koji_token.yml
View file

@ -5,8 +5,7 @@
- name: put the koji token file in place - name: put the koji token file in place
copy: copy:
src: "{{ private }}/files/osbs/{{ env }}/x86-64-osbs-stg-koji" src: "{{ private }}/files/osbs/{{ env }}/x86-64-osbs-koji"
dest: "/etc/osbs/x86-64-osbs-stg-koji" dest: "/etc/osbs/x86-64-osbs-koji"
owner: root owner: root
mode: 0400 mode: 0400
when: env == "staging"