Infrastructure/ansible
3
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

playbooks/groups/osbs-master.yml: deploy to handle stg and prod

Browse source 
Signed-off-by: Adam Miller <admiller@redhat.com>
This commit is contained in:
Adam Miller 2016-04-12 19:51:10 +00:00
parent b7d4fb6f47
commit d6dd38990e
2 changed files with 303 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

6
inventory/group_vars/osbs-stg
View file

@ -4,7 +4,11 @@ lvm_size: 60000
mem_size: 8192
num_cpus: 2
tcp_ports: [ 80, 443 ]
tcp_ports: [ 80, 443, 8443]
fas_client_groups: sysadmin-releng,fi-apprentice
sudoers: "{{ private }}/files/sudo/00releng-sudoers"
osbs_api_cert: "osbs.stg.fedoraproject.org.crt"
osbs_api_key: "osbs.stg.fedoraproject.org.key"

297
playbooks/groups/osbs-master.yml
View file

@ -28,3 +28,300 @@
handlers:
- include: "{{ handlers }}/restart_services.yml"
- name: pre-install osbs tasks
hosts: osbs:osbs-stg
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/private/ansible/files/openstack/passwords.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- name: place htpasswd file
copy:
src: "{{private}}/files/httpd/osbs.htpasswd"
dest: /etc/origin/htpasswd
- name: create cert dir for openshift public facing REST API SSL
file:
path: "/etc/origin/master/named_certificates"
state: "directory"
- name: install cert for openshift public facing REST API SSL
copy:
src: "{{private}}/files/osbs/osbs-stg.certs/{{osbs_api_cert}}"
dest: "/etc/origin/master/named_certificates/{{osbs_api_cert}}"
- name: install key for openshift public facing REST API SSL
copy:
src: "{{private}}/files/osbs/osbs-stg.certs/{{osbs_api_key}}"
dest: "/etc/origin/master/named_certificates/{{osbs_api_key}}"
- name: setup osbs
hosts: osbs:osbs-stg
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/private/ansible/files/openstack/passwords.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- osbs-atomic-reactor
- osbs-common
- osbs-install-openshift
- {
role: osbs-master,
osbs_master_export_port: true,
osbs_manage_firewalld: true,
osbs_proxy_cert_file: '/etc/origin/proxy_selfsigned.crt',
osbs_proxy_key_file: '/etc/origin/proxy_selfsigned.key',
osbs_proxy_certkey_file: '/etc/origin/proxy_certkey.crt',
osbs_proxy_ca_file: '/etc/origin/proxy_selfsigned.crt',
osbs_readonly_users: [],
osbs_readonly_groups: [],
osbs_readwrite_users: [ "{{ osbs_koji_stg_username }}" ],
osbs_readwrite_groups: [],
osbs_admin_users: [],
osbs_admin_groups: [],
osbs_master_max_pods: 3,
osbs_update_packages: false,
osbs_image_gc_high_threshold: 90,
osbs_image_gc_low_threshold: 80,
osbs_identity_provider: "htpasswd_provider",
osbs_identity_htpasswd: {
name: htpasswd_provider,
challenge: true,
login: true,
provider_file: "/etc/origin/htpasswd"
},
osbs_named_certificates: {
enabled: true,
cert_file: "named_certificates/osbs.stg.fedoraproject.org.crt",
key_file: "named_certificates/osbs.stg.fedoraproject.org.key",
names: [ "osbs.stg.fedoraproject.org" ],
},
osbs_public_api_url: "osbs.stg.fedoraproject.org",
when: env == "staging"
}
- {
role: osbs-master,
osbs_master_export_port: true,
osbs_manage_firewalld: true,
osbs_proxy_cert_file: '/etc/origin/proxy_selfsigned.crt',
osbs_proxy_key_file: '/etc/origin/proxy_selfsigned.key',
osbs_proxy_certkey_file: '/etc/origin/proxy_certkey.crt',
osbs_proxy_ca_file: '/etc/origin/proxy_selfsigned.crt',
osbs_readonly_users: [],
osbs_readonly_groups: [],
osbs_readwrite_users: [ "{{ osbs_koji_stg_username }}" ],
osbs_readwrite_groups: [],
osbs_admin_users: [],
osbs_admin_groups: [],
osbs_master_max_pods: 3,
osbs_update_packages: false,
osbs_image_gc_high_threshold: 90,
osbs_image_gc_low_threshold: 80,
osbs_identity_provider: "htpasswd_provider",
osbs_identity_htpasswd: {
name: htpasswd_provider,
challenge: true,
login: true,
provider_file: "/etc/origin/htpasswd"
},
osbs_named_certificates: {
enabled: true,
cert_file: "named_certificates/osbs.fedoraproject.org.crt",
key_file: "named_certificates/osbs.fedoraproject.org.key",
names: [ "osbs.stg.fedoraproject.org" ],
},
osbs_public_api_url: "osbs.fedoraproject.org",
when: env == "production"
}
- {
role: osbs-client,
general: {
verbose: 0,
build_json_dir: '/usr/share/osbs/',
openshift_required_version: 1.1.0,
},
default: {
username: "{{ osbs_koji_stg_username }}",
password: "{{ osbs_koji_stg_password }}",
koji_certs_secret: "koji",
openshift_url: 'https://osbs.stg.fedoraproject.org:8443/',
registry_uri: 'https://registry.stg.fedoraproject.org/v2',
source_registry_uri: 'https://osbs.stg.fedoraproject.org/v2',
build_host: 'osbs.stg.fedoraproject.org',
koji_root: 'http://koji.fedoraproject.org/koji',
koji_hub: 'http://koji.fedoraproject.org/kojihub',
sources_command: 'fedpkg sources',
build_type: 'prod',
authoritative_registry: 'registry.example.com',
vendor: 'Fedora Project',
verify_ssl: false,
use_auth: true,
builder_use_auth: true,
distribution_scope: 'private',
registry_api_versions: 'v2',
builder_openshift_url: 'https://172.17.0.1:8443/'
},
when: env == "staging"
}
- {
role: osbs-client,
general: {
verbose: 0,
build_json_dir: '/usr/share/osbs/',
openshift_required_version: 1.1.0,
},
default: {
username: "{{ osbs_koji_username }}",
password: "{{ osbs_koji_password }}",
koji_certs_secret: "koji",
openshift_url: 'https://osbs.fedoraproject.org:8443/',
registry_uri: 'https://osbs.fedoraproject.org/v2',
source_registry_uri: 'https://osbs.fedoraproject.org/v2',
build_host: 'osbs.fedoraproject.org',
koji_root: 'http://koji.fedoraproject.org/koji',
koji_hub: 'http://koji.fedoraproject.org/kojihub',
sources_command: 'fedpkg sources',
build_type: 'prod',
authoritative_registry: 'registry.example.com',
vendor: 'Fedora Project',
verify_ssl: false,
use_auth: true,
builder_use_auth: true,
distribution_scope: 'private',
registry_api_versions: 'v2',
builder_openshift_url: 'https://172.17.0.1:8443/'
},
when: env == "production"
}
- name: post-install osbs tasks
hosts: osbs:osbs-stg
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/private/ansible/files/openstack/passwords.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
vars:
osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
osbs_environment:
KUBECONFIG: "{{ osbs_kubeconfig_path }}"
koji_pki_dir: /etc/pki/koji
koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert"
koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem"
koji_builder_user: dockerbuilder
osbs_builder_user: builder
handlers:
- name: buildroot container
shell: atomic-reactor create-build-image --reactor-tarball-path /usr/share/atomic-reactor/atomic-reactor.tar.gz /etc/osbs/buildroot/ buildroot
- name: oc secrets new
shell: "oc secrets new koji cert={{ koji_cert_path }} ca={{ koji_ca_cert_path }} serverca={{ koji_ca_cert_path }}"
environment: "{{ osbs_environment }}"
notify: oc secrets add
- name: oc secrets add
shell: "oc secrets add serviceaccount/{{ osbs_builder_user }} secrets/koji --for=mount"
environment: "{{ osbs_environment }}"
tasks:
- name: Ensure koji dockerbuilder cert path exists
file:
path: "{{ koji_pki_dir }}"
state: "directory"
mode: 0400
- name: Add koji dockerbuilder cert for Content Generator import
copy:
src: "{{private}}/files/koji/containerbuild.pem"
dest: "{{ koji_cert_path }}"
notify: oc secrets new
- name: Add koji dockerbuilder ca cert for Content Generator import
copy:
src: "{{private}}/files/koji/buildercerts/fedora-ca.cert"
dest: "{{ koji_ca_cert_path }}"
notify: oc secrets new
- name: install docker
action: "{{ ansible_pkg_mgr }} name=docker state=installed"
- name: ensure docker daemon cert dir exists
file: "{{docker_cert_dir}}"
path:
state: directory
- name: install docker client cert for registry
copy:
src: "{{private}}/files/koji/containerbuild.cert.pem"
dest: "{{docker_cert_dir}}/client.cert"
- name: install docker client key for registry
copy:
src: "{{private}}/files/koji/containerbuild.key.pem"
dest: "{{docker_cert_dir}}/client.key"
- name: start and enable docker
service: name=docker state=started enabled=yes
- name: create fedora image stream for OpenShift
shell: "echo '{ \"apiVersion\": \"v1\", \"kind\": \"ImageStream\", \"metadata\": { \"name\": \"fedora\" }, \"spec\": { \"dockerImageRepository\": \"{{docker_registry}}/fedora\" } }' | oc create -f -"
environment: "{{ osbs_environment }}"
args:
creates: /etc/osbs_fedora_imagestream_created
- name: set policy for koji builder in openshift for osbs
shell: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_stg_username }}"
when: env == "staging"
- name: set policy for koji builder in openshift for osbs
shell: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_username }}"
when: env == "production"
- name: set policy for koji builder in openshift for atomic-reactor
shell: "oadm policy add-role-to-user -n default edit system:serviceaccount:default:builder"
- name: make sure latest fedora image is pulled and pushed to osbs registry
shell: "docker pull fedora && docker tag -f fedora:latest {{docker_registry}}/fedora:latest && docker push {{docker_registry}}/fedora:latest"
tags:
- containerupdate
- name: Create buildroot container conf directory
file:
path: "/etc/osbs/buildroot/"
state: directory
- name: Upload Dockerfile for buildroot container
copy:
src: "{{ files }}/osbs-buildroot-Dockerfile"
dest: "/etc/osbs/buildroot/Dockerfile"
mode: 0400
notify:
- buildroot container
- name: Upload internal CA for buildroot
copy:
src: "{{private}}/{{osbs_internal_ca}}"
dest: "/etc/osbs/buildroot/ca.crt"
mode: 0400
notify:
- buildroot container
- name: clean up exited containers
shell: for i in $(docker ps -a | awk '/Exited/ { print $1 }') ; do docker rm $i; done
tags:
- cleanup
- name: clean up dangling images
shell: for i in $(docker images -q -f "dangling=true") ; do docker rmi $i; done
tags:
- cleanup