Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

Remove osbs-orchestrator-cluster.yml; align stg/prod OSBS

Browse source 
For the time being, this needs to be removed. This work has been
put on hold until a new Fedora Engineering Team member is onboarded
in order to take this work over and in the mean time there's no
sense in leaving stage OSBS broken for users.

This commit also brings stage OSBS back into alignment with the
production OSBS which is the "old" OSBS Architecture as defined in
the upstream documentation:

    https://osbs.readthedocs.io/en/latest/multiarch.html

Signed-off-by: Adam Miller <admiller@redhat.com>
This commit is contained in:
Adam Miller 2017-11-07 21:08:41 +00:00
parent 177bb8c15e
commit d71a039927
12 changed files with 185 additions and 1181 deletions
Download patch file Download diff file Expand all files Collapse all files

1
inventory/group_vars/osbs-orchestrators-stg
View file

@ -1 +0,0 @@
---

139
inventory/group_vars/osbs-stg
View file

@ -1,145 +1,34 @@
---
# Define resources for this group of hosts here.
lvm_size: 60000
mem_size: 8192
num_cpus: 2
baseiptables: False
tcp_ports: [ 80, 443, 8443]
fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran
sudoers: "{{ private }}/files/sudo/00releng-sudoers"
docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org"
stable_registry: "registry.stg.fedoraproject.org"
candidate_registry: "candidate-registry.stg.fedoraproject.org"
source_registry: "registry.stg.fedoraproject.org"
docker_registry: "candidate-registry.stg.fedoraproject.org"
osbs_url: "osbs.stg.fedoraproject.org"
osbsworker_x86_64_url: "osbsworker-x86-64.stg.fedoraproject.org"
osbs_koji_username: "kojibuilder_stg"
koji_url: "koji.stg.fedoraproject.org"
osbs_builder_user: builder
koji_builder_user: dockerbuilder
osbs_client_conf_path: /etc/osbs.conf
# openshift-ansible variables
# Need to use this special branch on my fork for stage until these are merged
# upstream and backported to the release-3.6 branch
#
# https://github.com/openshift/openshift-ansible/pull/5101
# https://github.com/openshift/openshift-ansible/pull/5129
oa_version: 3.6-add-dnf-support
oa_ssh_user: root
oa_install_examples: false
oa_containerized_deploy: false
oa_auth_profile: osbs
oa_debug_level: 2
oa_htpasswd_file: /etc/origin/htpasswd
origin_release: v3.6.0
osbs_koji_username: "kojibuilder_stg"
openshift_home: /var/lib/origin
generated_config_path: /tmp
osbs_admin: true
osbs_orchestrator_service_accounts:
- worker
- orchestrator
- metrics
os_cpu_limitrange: '200m'
# FIXME
osbs_orchestrator: false
osbs_worker_namespace: "worker"
osbs_orchestrator_namespace: "osbs"
osbs_worker_service_accounts:
- worker
- orchestrator
worker_clusters:
x86_64:
- name: osbsworker-x86-64
max_concurrent_builds: 12
openshift_url: "https://{{ osbsworker_x86_64_url }}"
verify_ssl: 'false'
artifacts_allowed_domains:
- "{{stable_registry}}"
- "{{candidate_registry}}"
koji_hub: "https://{{koji_url}}/kojihub"
koji_root: "https://{{koji_url}}/koji"
osbs_pulp_registry_name: brew-prod
osbs_registry_uri: "https://{{candidate_registry}}/v2"
osbs_source_registry_uri: http://brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888
koji_secret_name: kojisecret
distribution_scope: public
authoritative_registry: "{{ stable_registry }}"
registry_api_versions:
- v2
registry_secret_name: v2-registry-dockercfg
build_json_dir: /usr/share/osbs
sources_command: fedpkg sources
vendor: Fedora Project
osbs_manage_firewalld: false
kubeconfig_path: /etc/origin/master/admin.kubeconfig
osbs_env:
HOME: "{{ lookup('env', 'HOME') }}"
KUBECONFIG: "{{ osbs_kubeconfig_path }}"
osbs_orchestrator_readonly_users:
- "system:serviceaccount:{{ osbs_orchestrator_namespace }}:metrics"
osbs_orchestrator_readonly_groups:
- "system:authenticated"
osbs_orchestrator_readwrite_groups: []
osbs_orchestrator_readwrite_users:
- "{{ ansible_hostname }}"
- "system:serviceaccount:{{ osbs_orchestrator_namespace }}:default"
- "system:serviceaccount:{{ osbs_orchestrator_namespace }}:builder"
osbs_worker_readonly_users:
- "system:serviceaccount:{{ osbs_worker_namespace }}:metrics"
osbs_worker_readonly_groups:
- "system:authenticated"
osbs_worker_readwrite_groups: []
osbs_worker_readwrite_users:
- "{{ ansible_hostname }}"
- "system:serviceaccount:{{ osbs_worker_namespace }}:default"
- "system:serviceaccount:{{ osbs_worker_namespace }}:builder"
os_admin_users:
- kevin
- puiterwijk
- maxamillion
- dgilmore
- kojibuilder_stg
os_admin_groups: []
osbs_nodes: "{{ groups['osbs-orchestrator-' + env + '-nodes'] }}"
#nodeselectors
osbs_orchestrator_default_nodeselector: "orchestrator=true"
osbs_orchestrator_nodeselector_labels: "'orchestrator': 'true'"
osbs_worker_default_nodeselector: "worker=true"
osbs_worker_nodeselector_labels: "'worker': 'true'"
# fedora container images required by buildroot
fedora_required_images:
- "fedora:latest"
baseiptables: False
# docker images required by OpenShift Origin
openshift_required_images:
- "openshift/origin-pod"
# fedora container images required by buildroot
fedora_required_images:
- "fedora:latest"
nm_controlled_resolv: True

32
inventory/group_vars/osbsworker-masters-stg
View file

@ -1,32 +0,0 @@
---
# Define resources for this group of hosts here.
lvm_size: 60000
mem_size: 8192
num_cpus: 2
tcp_ports: [ 80, 443, 8443]
fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran
sudoers: "{{ private }}/files/sudo/00releng-sudoers"
docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org"
source_registry: "registry.stg.fedoraproject.org"
docker_registry: "candidate-registry.stg.fedoraproject.org"
osbs_url: "osbs.stg.fedoraproject.org"
osbs_koji_username: "kojibuilder_stg"
koji_url: "koji.stg.fedoraproject.org"
osbs_client_conf_path: /etc/osbs.conf
openshift_node_labels: {'region':'infra'}
openshift_schedulable: False
nagios_Check_Services:
nrpe: true
sshd: true
named: false
dhcpd: false
httpd: false
swap: false

31
inventory/group_vars/osbsworker-nodes-stg
View file

@ -1,31 +0,0 @@
---
# Define resources for this group of hosts here.
lvm_size: 60000
mem_size: 8192
num_cpus: 2
tcp_ports: [ 80, 443, 8443, 10250]
fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran
sudoers: "{{ private }}/files/sudo/00releng-sudoers"
docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org"
source_registry: "registry.stg.fedoraproject.org"
docker_registry: "candidate-registry.stg.fedoraproject.org"
osbs_url: "osbs.stg.fedoraproject.org"
osbs_koji_username: "kojibuilder_stg"
koji_url: "koji.stg.fedoraproject.org"
osbs_client_conf_path: /etc/osbs.conf
openshift_node_labels: {'region': 'primary', 'zone': 'default'}
nagios_Check_Services:
nrpe: true
sshd: true
named: false
dhcpd: false
httpd: false
swap: false

10
inventory/group_vars/osbsworker-x86-64-masters-stg
View file

@ -1,10 +0,0 @@
---
# Define resources for this group of hosts here.
lvm_size: 60000
mem_size: 8192
num_cpus: 2
tcp_ports: [ 80, 443, 8443]
openshift_node_labels: {'region':'infra'}
openshift_schedulable: False

9
inventory/group_vars/osbsworker-x86-64-nodes-stg
View file

@ -1,9 +0,0 @@
---
# Define resources for this group of hosts here.
lvm_size: 60000
mem_size: 8192
num_cpus: 2
tcp_ports: [ 80, 443, 8443, 10250]
openshift_node_labels: {'region': 'primary', 'zone': 'default'}

19
inventory/host_vars/osbsworker-x86-64-master01.stg.phx2.fedoraproject.org
View file

@ -1,19 +0,0 @@
---
nm: 255.255.255.0
gw: 10.5.128.254
dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26
ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/
volgroup: /dev/vg_guests
eth0_ip: 10.5.128.110
vmhost: virthost05.phx2.fedoraproject.org
datacenter: phx2
host_group: osbs-stg
nrpe_procs_warn: 900
nrpe_procs_crit: 1000
lvm_size: 120g
mem_size: 16384
max_mem_size: 16384
num_cpus: 4

19
inventory/host_vars/osbsworker-x86-64-node01.stg.phx2.fedoraproject.org
View file

@ -1,19 +0,0 @@
---
nm: 255.255.255.0
gw: 10.5.128.254
dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26
ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/
volgroup: /dev/vg_guests
eth0_ip: 10.5.128.111
vmhost: virthost05.phx2.fedoraproject.org
datacenter: phx2
host_group: osbs-nodes-stg
nrpe_procs_warn: 900
nrpe_procs_crit: 1000
lvm_size: 120g
mem_size: 16384
max_mem_size: 16384
num_cpus: 4

19
inventory/host_vars/osbsworker-x86-64-node02.stg.phx2.fedoraproject.org
View file

@ -1,19 +0,0 @@
---
nm: 255.255.255.0
gw: 10.5.128.254
dns: 10.5.126.21
ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26
ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/
volgroup: /dev/vg_guests
eth0_ip: 10.5.128.112
vmhost: virthost05.phx2.fedoraproject.org
datacenter: phx2
host_group: osbs-nodes-stg
nrpe_procs_warn: 900
nrpe_procs_crit: 1000
lvm_size: 120g
mem_size: 16384
max_mem_size: 16384
num_cpus: 4

28
inventory/inventory
View file

@ -828,9 +828,6 @@ osbs-control01.stg.phx2.fedoraproject.org
osbs-master01.stg.phx2.fedoraproject.org
osbs-node01.stg.phx2.fedoraproject.org
osbs-node02.stg.phx2.fedoraproject.org
osbsworker-x86-64-master01.stg.phx2.fedoraproject.org
osbsworker-x86-64-node01.stg.phx2.fedoraproject.org
osbsworker-x86-64-node02.stg.phx2.fedoraproject.org
docker-registry01.stg.phx2.fedoraproject.org
docker-registry02.stg.phx2.fedoraproject.org
docker-candidate-registry01.stg.phx2.fedoraproject.org
@ -1396,31 +1393,10 @@ osbs-master01.stg.phx2.fedoraproject.org
osbs-node01.stg.phx2.fedoraproject.org
osbs-node02.stg.phx2.fedoraproject.org
[osbsworker-x86-64-masters-stg]
osbsworker-x86-64-master01.stg.phx2.fedoraproject.org
[osbsworker-x86-64-nodes-stg]
osbsworker-x86-64-node01.stg.phx2.fedoraproject.org
osbsworker-x86-64-node02.stg.phx2.fedoraproject.org
[osbsworker-masters-stg:children]
osbsworker-x86-64-masters-stg
[osbsworker-nodes-stg:children]
osbsworker-x86-64-nodes-stg
[osbs-orchestrators-stg:children]
osbs-nodes-stg
osbs-masters-stg
[osbs-workers-stg:children]
osbsworker-x86-64-nodes-stg
osbsworker-x86-64-masters-stg
[osbs-stg:children]
osbs-control-stg
osbs-orchestrators-stg
osbs-workers-stg
osbs-masters-stg
osbs-nodes-stg
[os-control-stg]
os-control01.stg.phx2.fedoraproject.org

220
playbooks/groups/osbs-cluster.yml
View file

@ -1,9 +1,11 @@
# create an osbs server
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs-control"
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs-control-stg"
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs-nodes:osbs-masters"
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs-nodes-stg:osbs-masters-stg"
- name: make the box be real
hosts: osbs-control:osbs-masters:osbs-nodes
hosts: osbs-control:osbs-masters:osbs-nodes:osbs-control-stg:osbs-masters-stg:osbs-nodes-stg
user: root
gather_facts: True
@ -31,7 +33,7 @@
- import_tasks: "{{ handlers_path }}/restart_services.yml"
- name: OSBS control hosts pre-req setup
hosts: osbs-control
hosts: osbs-control:osbs-control-stg
tags:
- osbs-cluster-prereq
user: root
@ -58,7 +60,7 @@
value: "True"
- name: Setup cluster masters pre-reqs
hosts: osbs-masters
hosts: osbs-masters-stg:osbs-masters
tags:
- osbs-cluster-prereq
user: root
@ -97,7 +99,7 @@
- name: Setup cluster hosts pre-reqs
hosts: osbs-masters:osbs-nodes
hosts: osbs-masters-stg:osbs-nodes-stg:osbs-masters:osbs-nodes
tags:
- osbs-cluster-prereq
user: root
@ -159,7 +161,7 @@
dest: "/etc/sysconfig/docker-storage-setup"
- name: Deploy kerberose keytab to cluster hosts
hosts: osbs-masters:osbs-nodes
hosts: osbs-masters-stg:osbs-nodes-stg:osbs-masters:osbs-nodes
tags:
- osbs-cluster-prereq
user: root
@ -177,49 +179,80 @@
service: osbs
host: "osbs.fedoraproject.org"
when: env == "production"
- role: keytab/service
owner_user: root
owner_group: root
service: osbs
host: "osbs.stg.fedoraproject.org"
when: env == "staging"
- name: Deploy OpenShift Cluster
hosts: osbs-control:osbs-control-stg
tags:
- osbs-deploy-openshift
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- {
role: ansible-ansible-openshift-ansible,
cluster_inventory_filename: "cluster-inventory-stg",
openshift_htpasswd_file: "/etc/origin/htpasswd",
openshift_master_public_api_url: "https://{{ osbs_url }}:8443",
openshift_release: "v3.6.0",
openshift_ansible_path: "/root/openshift-ansible",
openshift_ansible_playbook: "playbooks/byo/config.yml",
openshift_ansible_version: "release-3.6-fedora-compat",
openshift_ansible_ssh_user: root,
openshift_ansible_install_examples: false,
openshift_ansible_containerized_deploy: false,
openshift_cluster_masters_group: "osbs-masters-stg",
openshift_cluster_nodes_group: "osbs-nodes-stg",
openshift_cluster_infra_group: "osbs-masters-stg",
openshift_auth_profile: "osbs",
openshift_cluster_url: "{{osbs_url}}",
openshift_master_ha: false,
openshift_debug_level: 2,
openshift_shared_infra: true,
openshift_deployment_type: "origin",
openshift_ansible_python_interpreter: "/usr/bin/python3",
when: env == 'staging',
tags: ['openshift-cluster','ansible-ansible-openshift-ansible']
}
- {
role: ansible-ansible-openshift-ansible,
cluster_inventory_filename: "cluster-inventory",
openshift_htpasswd_file: "/etc/origin/htpasswd",
openshift_master_public_api_url: "https://{{ osbs_url }}:8443",
openshift_release: "v3.6.0",
openshift_ansible_path: "/root/openshift-ansible",
openshift_ansible_playbook: "playbooks/byo/config.yml",
openshift_ansible_version: "release-3.6-fedora-compat",
openshift_ansible_ssh_user: root,
openshift_ansible_install_examples: false,
openshift_ansible_containerized_deploy: false,
openshift_cluster_masters_group: "osbs-masters",
openshift_cluster_nodes_group: "osbs-nodes",
openshift_cluster_infra_group: "osbs-masters",
openshift_auth_profile: "osbs",
openshift_cluster_url: "{{osbs_url}}",
openshift_master_ha: false,
openshift_debug_level: 2,
openshift_shared_infra: true,
openshift_deployment_type: "origin",
openshift_ansible_python_interpreter: "/usr/bin/python3",
when: env == 'production',
tags: ['openshift-cluster','ansible-ansible-openshift-ansible']
}
#- name: Deploy OpenShift Cluster
# hosts: osbs-control
# tags:
# - osbs-deploy-openshift
# user: root
# gather_facts: True
#
# vars_files:
# - /srv/web/infra/ansible/vars/global.yml
# - "/srv/private/ansible/vars.yml"
# - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
#
# roles:
# - {
# role: ansible-ansible-openshift-ansible,
# cluster_inventory_filename: "cluster-inventory",
# openshift_htpasswd_file: "/etc/origin/htpasswd",
# openshift_master_public_api_url: "https://{{ osbs_url }}:8443",
# openshift_release: "v3.6.0",
# openshift_ansible_path: "/root/openshift-ansible",
# openshift_ansible_playbook: "playbooks/byo/config.yml",
# openshift_ansible_version: "release-3.6-fedora-compat",
# openshift_ansible_ssh_user: root,
# openshift_ansible_install_examples: false,
# openshift_ansible_containerized_deploy: false,
# openshift_cluster_masters_group: "osbs-masters",
# openshift_cluster_nodes_group: "osbs-nodes",
# openshift_cluster_infra_group: "osbs-masters",
# openshift_auth_profile: "osbs",
# openshift_cluster_url: "{{osbs_url}}",
# openshift_master_ha: false,
# openshift_debug_level: 2,
# openshift_shared_infra: true,
# openshift_deployment_type: "origin",
# openshift_ansible_python_interpreter: "/usr/bin/python3",
# when: env == 'production',
# tags: ['openshift-cluster','ansible-ansible-openshift-ansible']
# }
#
- name: Setup OSBS requirements for OpenShift cluster hosts
hosts: osbs-masters:osbs-nodes
hosts: osbs-masters-stg:osbs-nodes-stg:osbs-masters:osbs-nodes
tags:
- osbs-cluster-req
user: root
@ -236,6 +269,26 @@
osbs_manage_firewalld: false,
}
- osbs-atomic-reactor
- {
role: push-docker,
docker_cert_name: "containerbuild",
docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org",
when: env == "staging"
}
- {
role: "manage-container-images",
cert_dest_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org",
cert_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.pem",
key_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.key",
when: env == "staging"
}
- {
role: "manage-container-images",
cert_dest_dir: "/etc/docker/certs.d/registry.stg.fedoraproject.org",
cert_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.pem",
key_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.key",
when: env == "staging"
}
- {
role: push-docker,
docker_cert_name: "containerbuild",
@ -258,7 +311,7 @@
dest: "/etc/dnsmasq.d/fedora-dns.conf"
- name: Setup requirements for OpenShift master
hosts: osbs-masters
hosts: osbs-masters-stg:osbs-masters
tags:
- osbs-master-req
user: root
@ -270,6 +323,12 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- name: set policy for koji builder in openshift for osbs
shell: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_stg_username }} && touch /etc/origin/koji-builder-policy-added"
args:
creates: "/etc/origin/koji-builder-policy-added"
when: env == "staging"
- name: set policy for koji builder in openshift for osbs
shell: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_prod_username }} && touch /etc/origin/koji-builder-policy-added"
args:
@ -282,7 +341,7 @@
creates: "/etc/origin/atomic-reactor-policy-added"
- name: Deploy OSBS on top of OpenShift
hosts: osbs-masters[0]
hosts: osbs-masters-stg[0]:osbs-masters[0]
tags:
- osbs-deploy-on-openshift
user: root
@ -311,6 +370,26 @@
osbs_service_accounts: [],
osbs_readonly_users: [],
osbs_readonly_groups: [],
osbs_readwrite_users: ["{{ osbs_koji_stg_username }}"],
osbs_readwrite_groups: [ "system:authenticated"],
osbs_admin_users: [],
osbs_admin_groups: [],
osbs_docker_registry: false,
osbs_docker_registry_storage: "/opt/openshift-registry",
when: env == "staging"
}
- {
role: osbs-on-openshift,
osbs_openshift_home: "/var/lib/origin",
osbs_namespace: "default",
osbs_namespace_create: "false",
osbs_kubeconf_path: "/etc/origin/master/admin.kubeconfig",
osbs_environment: [
KUBECONFIG: "{{ osbs_kubeconfig_path }}"
],
osbs_service_accounts: [],
osbs_readonly_users: [],
osbs_readonly_groups: [],
osbs_readwrite_users: ["{{ osbs_koji_prod_username }}"],
osbs_readwrite_groups: [ "system:authenticated"],
osbs_admin_users: [],
@ -335,7 +414,7 @@
environment: "{{ osbs_environment }}"
- name: Manage docker images and image stream
hosts: osbs-masters[0]
hosts: osbs-masters-stg[0]:osbs-masters[0]
tags:
- osbs-post-install
- manage-docker-images
@ -409,7 +488,7 @@
creates: /etc/origin/fedoraimagestreamcreated
- name: post-install master host osbs tasks
hosts: osbs-masters
hosts: osbs-masters-stg:osbs-masters
tags:
- osbs-post-install
vars_files:
@ -464,7 +543,7 @@
- name: post-install osbs tasks
hosts: osbs-masters:osbs-nodes
hosts: osbs-masters-stg:osbs-nodes-stg:osbs-masters:osbs-nodes
tags:
- osbs-post-install
vars_files:
@ -496,6 +575,38 @@
shell: 'systemctl daemon-reload'
roles:
- {
role: osbs-client,
general: {
verbose: 0,
build_json_dir: '/etc/osbs/input/',
openshift_required_version: 1.1.0,
},
default: {
username: "{{ osbs_koji_stg_username }}",
password: "{{ osbs_koji_stg_password }}",
koji_use_kerberos: True,
koji_kerberos_keytab: "FILE:/etc/krb5.osbs_{{osbs_url}}.keytab",
koji_kerberos_principal: "osbs/{{osbs_url}}@{{ipa_realm}}",
openshift_url: 'https://{{osbs_url}}/',
registry_uri: 'https://{{docker_registry}}/v2',
source_registry_uri: 'https://{{source_registry}}/v2',
build_host: '{{osbs_url}}',
koji_root: 'https://{{koji_url}}/koji',
koji_hub: 'https://{{koji_url}}/kojihub',
sources_command: 'fedpkg sources',
build_type: 'prod',
authoritative_registry: 'registry.example.com',
vendor: 'Fedora Project',
verify_ssl: true,
use_auth: true,
builder_use_auth: true,
distribution_scope: 'private',
registry_api_versions: 'v2',
builder_openshift_url: 'https://{{osbs_url}}'
},
when: env == "staging"
}
- {
role: osbs-client,
general: {
@ -651,7 +762,7 @@
- name: Post-Install image stream refresh
hosts: osbs-masters[0]
hosts: osbs-masters[0]:osbs-masters-stg[0]
tags:
- osbs-post-install
vars_files:
@ -661,9 +772,16 @@
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- name: refresh fedora image streams
shell: "oc import-image fedora --all"
when: env == "staging" and hostvars[groups["osbs-masters-stg"][0]]["docker_pull_fedora"]|changed
- name: refresh fedora image streams
shell: "oc import-image fedora --all"
when: env == "production" and hostvars[groups["osbs-masters"][0]]["docker_pull_fedora"]|changed
- name: enable nrpe for monitoring (noc01)
iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT
# - name: enable nrpe for monitoring (noc01.stg)
# iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=1#0.5.126.2 state=present jump=ACCEPT

839
playbooks/groups/osbs-orchestrator-cluster.yml
View file

@ -1,839 +0,0 @@
# create an osbs server
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs-stg"
tags:
- make_boxes
- name: make the box be real
hosts: osbs-stg
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- base
- rkhunter
- nagios_client
- hosts
- fas_client
- collectd/base
- rsyncd
- sudo
tasks:
- import_tasks: "{{ tasks_path }}/yumrepos.yml"
- import_tasks: "{{ tasks_path }}/2fa_client.yml"
- import_tasks: "{{ tasks_path }}/motd.yml"
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"
# Prepare the Control host to be able to run ansible-ansible-openshift-ansible
# against the Orchestration and Worker cluster machines
- name: OSBS control hosts pre-req setup
hosts: osbs-control-stg
tags:
- osbs-orchestrator-prereq
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- name: deploy private key to control hosts
copy:
src: "{{private}}/files/osbs/{{env}}/control_key"
dest: "/root/.ssh/id_rsa"
owner: root
mode: 0600
- name: set ansible to use pipelining
ini_file:
dest: /etc/ansible/ansible.cfg
section: ssh_connection
option: pipelining
value: "True"
- name: Install necessary packages that openshift-ansible control host needs
package: name="{{ item }}" state=installed
with_items:
- ansible
- git
- python-passlib
- java-1.8.0-openjdk-headless
- httpd-tools
# This section sets up the SSL Certs for "public facing" which is how Koji will
# interact with the OSBS Orchestration cluster. This is not needed on the worker
# clusters.
- name: Setup orchestrator cluster masters pre-reqs
hosts: osbs-masters-stg
tags:
- osbs-orchestrator-prereq
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- name: ensure origin conf dir exists
file:
path: "/etc/origin"
state: "directory"
- name: create cert dir for openshift public facing REST API SSL
file:
path: "/etc/origin/master/named_certificates"
state: "directory"
- name: install cert for openshift public facing REST API SSL
copy:
src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem"
dest: "/etc/origin/master/named_certificates/{{osbs_url}}.pem"
- name: install key for openshift public facing REST API SSL
copy:
src: "{{private}}/files/osbs/{{env}}/osbs-internal.key"
dest: "/etc/origin/master/named_certificates/{{osbs_url}}.key"
- name: place htpasswd file
copy:
src: "{{private}}/files/httpd/osbs-{{env}}.htpasswd"
dest: "{{ oa_htpasswd_file }}"
# This installs required pre-reqs and deploys the Controler's public key to all
# machines in both the Orchestrator and Worker clusters in order to allow
# ansible-ansible-openshift-ansible to be run against them
- name: Setup cluster hosts pre-reqs
hosts: osbs-orchestrators-stg:osbs-workers-stg
tags:
- osbs-orchestrator-prereq
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
handlers:
- name: restart NetworkManager
service:
name: NetworkManager
state: restarted
roles:
- role: openshift-prerequisites
tasks:
- name: Install necessary packages that openshift-ansible needs
package: name="{{ item }}" state=installed
with_items:
- tar
- rsync
- python3-dbus
- NetworkManager
- libselinux-python3
- python3-PyYAML
- java-1.8.0-openjdk-headless
- name: Deploy controller public ssh keys to osbs cluster hosts
authorized_key:
user: root
key: "{{ lookup('file', '{{private}}/files/osbs/{{env}}/control_key.pub') }}"
# This is required for OpenShift built-in SkyDNS inside the overlay network
# of the cluster
- name: ensure NM_CONTROLLED is set to "yes" for osbs cluster
lineinfile:
dest: "/etc/sysconfig/network-scripts/ifcfg-eth0"
line: "NM_CONTROLLED=yes"
notify:
- restart NetworkManager
# This is required for OpenShift built-in SkyDNS inside the overlay network
# of the cluster
- name: ensure NetworkManager is enabled and started
service:
name: NetworkManager
state: started
enabled: yes
- name: cron entry to clean up docker storage
copy:
src: "{{files}}/osbs/cleanup-docker-storage"
dest: "/etc/cron.d/cleanup-docker-storage"
- name: copy docker-storage-setup config
copy:
src: "{{files}}/osbs/docker-storage-setup"
dest: "/etc/sysconfig/docker-storage-setup"
when: env == "production"
- name: copy docker-storage-setup config
copy:
src: "{{files}}/osbs/docker-storage-setup.staging"
dest: "/etc/sysconfig/docker-storage-setup"
when: env == "staging"
# This keytab needs to be on any system that is going to talk to koji and
# unfortunately, that's all of them.
- name: Deploy kerberose keytab to cluster hosts
hosts: osbs-masters-stg:osbs-nodes-stg:osbsworker-masters-stg:osbsworker-nodes-stg
tags:
- osbs-cluster-prereq
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- role: keytab/service
owner_user: root
owner_group: root
service: osbs
host: "osbs.stg.fedoraproject.org"
when: env == "staging"
- name: Deploy OpenShift Clusters
hosts: osbs-control-stg
tags:
- osbs-deploy-openshift
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- role: ansible-ansible-openshift-ansible
cluster_inventory_filename: "orchestrator-cluster-inventory-stg"
openshift_htpasswd_file: "{{ oa_htpasswd_file }}"
openshift_master_public_api_url: "https://{{ osbs_url }}:8443"
openshift_release: "{{ origin_release }}"
openshift_ansible_path: "/root/openshift-ansible"
openshift_ansible_playbook: "playbooks/byo/config.yml"
openshift_ansible_version: "{{ oa_version }}"
openshift_ansible_ssh_user: "{{ oa_ssh_user }}"
openshift_ansible_install_examples: "{{ oa_install_examples }}"
openshift_ansible_containerized_deploy: "{{ oa_containerized_deploy }}"
openshift_cluster_masters_group: "osbs-masters-stg"
openshift_cluster_nodes_group: "osbs-nodes-stg"
openshift_cluster_infra_group: "osbs-masters-stg"
openshift_auth_profile: "{{ oa_auth_profile }}"
openshift_cluster_url: "{{ osbs_url }}"
openshift_master_ha: false
openshift_debug_level: "{{ oa_debug_level }}"
openshift_shared_infra: true
openshift_deployment_type: "origin"
openshift_metrics_deploy: true
openshift_ansible_python_interpreter: "/usr/bin/python3"
openshift_nodeselectors: "{{ osbs_orchestrator_nodeselector_labels }}"
when: env == 'staging'
tags: ['openshift-cluster','ansible-ansible-openshift-ansible']
- role: ansible-ansible-openshift-ansible
cluster_inventory_filename: "x86-64-worker-cluster-inventory-stg"
openshift_htpasswd_file: "{{ oa_htpasswd_file }}"
openshift_master_public_api_url: "https://{{ osbsworker_x86_64_url }}:8443"
openshift_release: "{{ origin_release }}"
openshift_ansible_path: "/root/openshift-ansible"
openshift_ansible_playbook: "playbooks/byo/config.yml"
openshift_ansible_version: "{{ oa_version }}"
openshift_ansible_ssh_user: "{{ oa_ssh_user }}"
openshift_ansible_install_examples: "{{ oa_install_examples }}"
openshift_ansible_containerized_deploy: "{{ oa_containerized_deploy }}"
openshift_cluster_masters_group: "osbsworker-x86-64-masters-stg"
openshift_cluster_nodes_group: "osbsworker-x86-64-nodes-stg"
openshift_cluster_infra_group: "osbsworker-x86-64-masters-stg"
openshift_auth_profile: "{{ oa_auth_profile }}"
openshift_cluster_url: "{{ osbsworker_x86_64_url }}"
openshift_master_ha: false
openshift_debug_level: "{{ oa_debug_level }}"
openshift_shared_infra: true
openshift_deployment_type: "origin"
openshift_metrics_deploy: true
openshift_ansible_python_interpreter: "/usr/bin/python3"
openshift_nodeselectors: "{{ osbs_worker_nodeselector_labels }}"
when: env == 'staging'
tags: ['openshift-cluster','ansible-ansible-openshift-ansible']
- name: Setup OSBS requirements for OpenShift cluster hosts
hosts: osbs-orchestrators-stg:osbs-workers-stg
tags:
- osbs-cluster-req
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- role: osbs-common
osbs_manage_firewalld: false
- role: osbs-atomic-reactor
- role: push-docker
docker_cert_name: "containerbuild"
docker_cert_dir: "/etc/docker/certs.d/{{ candidate_registry }}"
when: env == "staging"
# The images that come out of the builds need to be pushed somwhere
- role: "manage-container-images"
cert_dest_dir: "/etc/docker/certs.d/{{ candidate_registry }}"
cert_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.pem"
key_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.key"
when: env == "staging"
handlers:
- name: restart dnsmasq
service:
name: dnsmasq
state: restarted
tasks:
- name: ensure dnsmasq is installed
package:
name: dnsmasq
state: latest
- name: install fedora dnsmasq specific config
copy:
src: "{{files}}/osbs/fedora-dnsmasq.conf.{{env}}"
dest: "/etc/dnsmasq.d/fedora-dns.conf"
notify:
- restart dnsmasq
- name: setup orchestrator namespace
hosts: osbs-masters-stg[0]
tags:
- osbs-cluster-req
- orchestrator-namespace
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
vars:
osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
osbs_environment:
KUBECONFIG: "{{ osbs_kubeconfig_path }}"
koji_pki_dir: /etc/pki/koji
koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert"
koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem"
koji_builder_user: dockerbuilder
osbs_secret_name: kojisecret
osbs_secret_service_account: "{{ osbs_builder_user }}"
osbs_secret_remote_dir: /var/lib/origin
osbs_secret_can_fail: false
roles:
- role: osbs-namespace
osbs_namespace: "{{ osbs_orchestrator_namespace }}"
osbs_openshift_home: "{{ openshift_home}}"
osbs_kubeconfig_path: "{{ kubeconfig_path }}"
osbs_generated_config_path: "{{ generated_config_path }}"
osbs_environmnet: "{{ osbs_env }}"
osbs_is_admin: "{{ osbs_admin }}"
osbs_service_accounts: "{{ osbs_orchestrator_service_accounts }}"
osbs_cpu_limitrange: "{{ os_cpu_limitrange }}"
osbs_admin_groups: "{{ os_admin_groups }}"
osbs_admin_users: "{{ os_admin_users }}"
osbs_readonly_groups: "{{ osbs_orchestrator_readonly_groups }}"
osbs_readonly_users: "{{ osbs_orchestrator_readonly_groups }}"
osbs_readwrite_groups: "{{ osbs_orchestrator_readwrite_groups }}"
osbs_readwrite_users: "{{ osbs_orchestrator_readwrite_users }}"
osbs_orchestrator: true
osbs_worker_clusters: "{{ worker_clusters }}"
osbs_koji_secret_name: "{{ koji_secret_name }}"
osbs_distribution_scope: "{{ distribution_scope }}"
osbs_authoritative_registry: "{{ authoritative_registry }}"
osbs_koji_hub: "{{ koji_hub }}"
osbs_koji_root: "{{ koji_root }}"
osbs_registry_api_versions: "{{ registry_api_versions }}"
osbs_registry_uri: "{{ candidate_registry }}"
osbs_source_registry_uri: "{{ stable_registry }}"
osbs_build_json_dir: "{{ build_json_dir }}"
osbs_sources_command: "fedpkg sources"
osbs_nodeselector: "{{ osbs_orchestrator_default_nodeselector|default('') }}"
- name: setup worker namespace
hosts: osbsworker-x86-64-masters-stg[0]
tags:
- osbs-cluster-req
- worker-namespace
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
vars:
osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
osbs_environment:
KUBECONFIG: "{{ osbs_kubeconfig_path }}"
koji_pki_dir: /etc/pki/koji
koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert"
koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem"
koji_builder_user: dockerbuilder
osbs_builder_user: builder
osbs_secret_name: kojisecret
osbs_secret_service_account: "{{ osbs_builder_user }}"
osbs_secret_remote_dir: /var/lib/origin
osbs_secret_can_fail: false
roles:
- role: osbs-namespace
osbs_namespace: "{{ osbs_worker_namespace }}"
osbs_openshift_home: "{{ openshift_home}}"
osbs_kubeconfig_path: "{{ kubeconfig_path }}"
osbs_generated_config_path: "{{ generated_config_path }}"
osbs_environmnet: "{{ osbs_env }}"
osbs_is_admin: "{{ osbs_admin }}"
osbs_service_accounts: "{{ osbs_worker_service_accounts }}"
osbs_admin_groups: "{{ os_admin_groups }}"
osbs_admin_users: "{{ os_admin_users }}"
osbs_readonly_groups: "{{ osbs_worker_readonly_groups }}"
osbs_readonly_users: "{{ osbs_worker_readonly_groups }}"
osbs_readwrite_groups: "{{ osbs_worker_readwrite_groups }}"
osbs_readwrite_users: "{{ osbs_worker_readwrite_users }}"
osbs_orchestrator: false
osbs_worker_clusters: "{{ worker_clusters }}"
osbs_koji_secret_name: "{{ koji_secret_name }}"
osbs_distribution_scope: "{{ distribution_scope }}"
osbs_authoritative_registry: "{{ authoritative_registry }}"
osbs_koji_hub: "{{ koji_hub }}"
osbs_koji_root: "{{ koji_root }}"
osbs_registry_api_versions: "{{ registry_api_versions }}"
osbs_registry_uri: "{{ candidate_registry }}"
osbs_source_registry_uri: "{{ stable_registry }}"
osbs_build_json_dir: "{{ build_json_dir }}"
osbs_sources_command: "fedpkg sources"
osbs_cpu_limitrange: "{{ os_cpu_limitrange }}"
osbs_nodeselector: "{{ osbs_orchestrator_default_nodeselector|default('') }}"
- name: Setup Koji auth for OSBS Orchestrator Cluster
hosts: osbs-masters-stg[0]
tags:
- osbs-master-req
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- name: set policy for koji builder in openshift for osbs
shell: "oadm policy add-role-to-user -n {{ osbs_orchestrator_namespace }} edit htpasswd_provider: {{ osbs_koji_stg_username }} && touch /etc/origin/koji-builder-policy-added"
args:
creates: "/etc/origin/koji-builder-policy-added"
when: env == "staging"
- name: set policy for koji builder in openshift for atomic-reactor
shell: "oadm policy add-role-to-user -n {{ osbs_orchestrator_namespace }} edit system:serviceaccount:{{osbs_orchestrator_namespace}}:{{osbs_builder_user}} && touch /etc/origin/atomic-reactor-policy-added"
args:
creates: "/etc/origin/atomic-reactor-policy-added"
- name: Setup Koji auth for OSBS Worker Cluster
hosts: osbsworker-x86-64-masters-stg[0]
tags:
- osbs-master-req
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- name: set policy for koji builder in openshift for osbs
shell: "oadm policy add-role-to-user -n {{ osbs_worker_namespace }} edit htpasswd_provider: {{ osbs_koji_stg_username }} && touch /etc/origin/koji-builder-policy-added"
args:
creates: "/etc/origin/koji-builder-policy-added"
when: env == "staging"
- name: set policy for koji builder in openshift for atomic-reactor
shell: "oadm policy add-role-to-user -n {{ osbs_worker_namespace }} edit system:serviceaccount:{{osbs_orchestrator_namespace}}:{{osbs_builder_user}} && touch /etc/origin/atomic-reactor-policy-added"
args:
creates: "/etc/origin/atomic-reactor-policy-added"
- name: post-install orchestrator master host osbs tasks
hosts: osbs-masters-stg[0]
tags:
- osbs-post-install
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/private/ansible/files/openstack/passwords.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
vars:
osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
osbs_environment:
KUBECONFIG: "{{ osbs_kubeconfig_path }}"
koji_pki_dir: /etc/pki/koji
koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert"
koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem"
koji_builder_user: dockerbuilder
osbs_builder_user: builder
handlers:
- name: oc secrets new
shell: "oc secrets new koji cert={{ koji_cert_path }} ca={{ koji_ca_cert_path }} serverca={{ koji_ca_cert_path }} --namespace={{ osbs_orchestrator_namespace }}"
environment: "{{ osbs_environment }}"
notify: oc secrets add
- name: oc secrets add
shell: "oc secrets add serviceaccount/{{ osbs_builder_user }} secrets/koji --for=mount --namespace={{osbs_orchestrator_namespace}}"
environment: "{{ osbs_environment }}"
tasks:
- name: Ensure koji dockerbuilder cert path exists
file:
path: "{{ koji_pki_dir }}"
state: "directory"
mode: 0400
- name: Add koji dockerbuilder cert for Content Generator import
copy:
src: "{{private}}/files/koji/containerbuild.pem"
dest: "{{ koji_cert_path }}"
notify: oc secrets new
- name: Add koji dockerbuilder ca cert for Content Generator import
copy:
src: "{{private}}/files/koji/buildercerts/fedora-ca.cert"
dest: "{{ koji_ca_cert_path }}"
notify: oc secrets new
- name: cron entry to clean up old builds
copy:
src: "{{files}}/osbs/cleanup-old-osbs-builds"
dest: "/etc/cron.d/cleanup-old-osbs-builds"
- name: post-install worker master host osbs tasks
hosts: osbsworker-x86-64-masters-stg[0]
tags:
- osbs-post-install
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/private/ansible/files/openstack/passwords.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
vars:
osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
osbs_environment:
KUBECONFIG: "{{ osbs_kubeconfig_path }}"
koji_pki_dir: /etc/pki/koji
koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert"
koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem"
koji_builder_user: dockerbuilder
osbs_builder_user: builder
handlers:
- name: oc secrets new
shell: "oc secrets new koji cert={{ koji_cert_path }} ca={{ koji_ca_cert_path }} serverca={{ koji_ca_cert_path }} --namespace={{osbs_worker_namespace}}"
environment: "{{ osbs_environment }}"
notify: oc secrets add
- name: oc secrets add
shell: "oc secrets add serviceaccount/{{ osbs_builder_user }} secrets/koji --for=mount --namespace={{osbs_worker_namespace}}"
environment: "{{ osbs_environment }}"
tasks:
- name: Ensure koji dockerbuilder cert path exists
file:
path: "{{ koji_pki_dir }}"
state: "directory"
mode: 0400
- name: Add koji dockerbuilder cert for Content Generator import
copy:
src: "{{private}}/files/koji/containerbuild.pem"
dest: "{{ koji_cert_path }}"
notify: oc secrets new
- name: Add koji dockerbuilder ca cert for Content Generator import
copy:
src: "{{private}}/files/koji/buildercerts/fedora-ca.cert"
dest: "{{ koji_ca_cert_path }}"
notify: oc secrets new
- name: cron entry to clean up old builds
copy:
src: "{{files}}/osbs/cleanup-old-osbs-builds"
dest: "/etc/cron.d/cleanup-old-osbs-builds"
- name: Manage docker images and image stream
hosts: osbs-masters-stg[0]:osbsworker-x86-64-masters-stg[0]
tags:
- osbs-post-install
- manage-docker-images
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/private/ansible/files/openstack/passwords.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
vars:
osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
osbs_environment:
KUBECONFIG: "{{ osbs_kubeconfig_path }}"
koji_pki_dir: /etc/pki/koji
koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert"
koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem"
koji_builder_user: dockerbuilder
tasks:
# NOTE: Need to delegate to compose-x86-01.phx2.fedoraproject.org for prod
# because the push keys are split for each env
- name: skopeo sync openshift required docker images
shell: "skopeo copy docker://docker.io/{{item}}:{{origin_release}} docker://{{candidate_registry}}/{{item}}:{{origin_release}}"
with_items: "{{openshift_required_images}}"
delegate_to: composer.stg.phx2.fedoraproject.org
register: docker_pull_openshift_delegated
changed_when: "'Skipping fetch of repeat blob' not in docker_pull_openshift_delegated.stdout"
when: env == "staging"
- name: create fedora image stream for OpenShift
shell: "echo '{ \"apiVersion\": \"v1\", \"kind\": \"ImageStream\", \"metadata\": { \"name\": \"fedora\" }, \"spec\": { \"dockerImageRepository\": \"{{candidate_registry}}/fedora\" } }' | oc create -f - && touch /etc/origin/fedoraimagestreamcreated"
environment: "{{ osbs_environment }}"
args:
creates: /etc/origin/fedoraimagestreamcreated
- name: post-install osbs tasks
hosts: osbs-orchestrators-stg:osbs-workers-stg
tags:
- osbs-post-install
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/private/ansible/files/openstack/passwords.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
vars:
osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
osbs_environment:
KUBECONFIG: "{{ osbs_kubeconfig_path }}"
koji_pki_dir: /etc/pki/koji
koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert"
koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem"
koji_builder_user: dockerbuilder
osbs_builder_user: builder
handlers:
- name: buildroot container
shell: 'docker rmi buildroot; docker build --no-cache --rm -t buildroot /etc/osbs/buildroot/'
- name: restart docker
service:
name: docker
state: restarted
- name: systemctl daemon-reload
shell: 'systemctl daemon-reload'
roles:
- {
role: osbs-client,
general: {
verbose: 0,
build_json_dir: '/etc/osbs/input/',
openshift_required_version: 1.1.0,
},
default: {
username: "{{ osbs_koji_stg_username }}",
password: "{{ osbs_koji_stg_password }}",
koji_use_kerberos: True,
koji_kerberos_keytab: "FILE:/etc/krb5.osbs_{{osbs_url}}.keytab",
koji_kerberos_principal: "osbs/{{osbs_url}}@{{ipa_realm}}",
openshift_url: 'https://{{osbs_url}}/',
registry_uri: 'https://{{candidate_registry}}/v2',
source_registry_uri: 'https://{{stable_registry}}/v2',
build_host: '{{osbs_url}}',
koji_root: '{{koji_root}}',
koji_hub: '{{koji_hub}}',
sources_command: 'fedpkg sources',
build_type: 'prod',
authoritative_registry: '{{stable_registry}}',
vendor: 'Fedora Project',
verify_ssl: true,
use_auth: true,
builder_use_auth: true,
distribution_scope: 'private',
registry_api_versions: 'v2',
builder_openshift_url: 'https://{{osbs_url}}',
namespace: 'osbs',
can_orchestrate: true
},
when: env == "staging"
}
tasks:
- name: copy docker iptables script
copy:
src: "{{files}}/osbs/fix-docker-iptables.{{ env }}"
dest: /usr/local/bin/fix-docker-iptables
mode: 0755
notify:
- restart docker
- name: copy docker service config
copy:
src: "{{files}}/osbs/docker.custom.service"
dest: /etc/systemd/system/docker.service.d/custom.conf
notify:
- systemctl daemon-reload
- restart docker
- name: ensure docker is running
service:
name: docker
state: started
enabled: yes
- name: set nrpe read access for osbs.conf for nagios monitoring
acl: name={{ osbs_client_conf_path }} entity=nrpe etype=user permissions=r state=present
- name: Create buildroot container conf directory
file:
path: "/etc/osbs/buildroot/"
state: directory
- name: Upload Dockerfile for buildroot container
template:
src: "{{ files }}/osbs/buildroot-Dockerfile-{{env}}.j2"
dest: "/etc/osbs/buildroot/Dockerfile"
mode: 0400
notify:
- buildroot container
- name: Upload internal CA for buildroot
copy:
src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem"
dest: "/etc/osbs/buildroot/ca.crt"
mode: 0400
notify:
- buildroot container
- name: stat infra repofile
stat:
path: "/etc/yum.repos.d/infra-tags.repo"
register: infra_repo_stat
- name: stat /etc/osbs/buildroot/ infra repofile
stat:
path: "/etc/osbs/buildroot/infra-tags.repo"
register: etcosbs_infra_repo_stat
- name: remove old /etc/osbs/buildroot/ infra repofile
file:
path: "/etc/osbs/buildroot/infra-tags.repo"
state: absent
when: etcosbs_infra_repo_stat.stat.exists and infra_repo_stat.stat.checksum != etcosbs_infra_repo_stat.stat.checksum
- name: Copy repofile for buildroot container (because Docker)
copy:
src: "/etc/yum.repos.d/infra-tags.repo"
dest: "/etc/osbs/buildroot/infra-tags.repo"
remote_src: true
notify:
- buildroot container
when: etcosbs_infra_repo_stat.stat.exists == false
- name: stat /etc/ keytab
stat:
path: "/etc/krb5.osbs_{{osbs_url}}.keytab"
register: etc_kt_stat
- name: stat /etc/osbs/buildroot/ keytab
stat:
path: "/etc/osbs/buildroot/krb5.osbs_{{osbs_url}}.keytab"
register: etcosbs_kt_stat
- name: remove old hardlink to /etc/osbs/buildroot/ keytab
file:
path: "/etc/osbs/buildroot/krb5.osbs_{{osbs_url}}.keytab"
state: absent
when: etcosbs_kt_stat.stat.exists and etc_kt_stat.stat.checksum != etcosbs_kt_stat.stat.checksum
- name: Hardlink keytab for buildroot container (because Docker)
file:
src: "/etc/krb5.osbs_{{osbs_url}}.keytab"
dest: "/etc/osbs/buildroot/krb5.osbs_{{osbs_url}}.keytab"
state: hard
notify:
- buildroot container
when: etcosbs_kt_stat.stat.exists == false
- name: pull openshift required docker images
shell: "docker pull {{candidate_registry}}/{{item}}:{{origin_release}}"
with_items: "{{openshift_required_images}}"
register: docker_pull_openshift
changed_when: "'Downloaded newer image' in docker_pull_openshift.stdout"
- name: pull fedora required docker images
shell: "docker pull {{stable_registry}}/{{item}}"
with_items: "{{fedora_required_images}}"
register: docker_pull_fedora
changed_when: "'Downloaded newer image' in docker_pull_fedora.stdout"
- name: tag openshift required docker images locally
shell: "docker tag {{candidate_registry}}/{{item}}:{{origin_release}} {{item}}:{{origin_release}}"
with_items: "{{openshift_required_images}}"
when: docker_pull_openshift|changed
- set_fact:
docker_pull_openshift: "{{ docker_pull_openshift }}"
- name: Post-Install image stream refresh
hosts: osbs-masters-stg[0]
tags:
- osbs-post-install
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/private/ansible/files/openstack/passwords.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- name: refresh fedora image streams
shell: "oc import-image fedora --all"
when: env == "staging" and hostvars[groups["osbs-masters-stg"][0]]["docker_pull_fedora"]|changed
- name: enable nrpe for monitoring (noc01)
iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT
- name: enable nrpe for monitoring (noc01.stg)
iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.128.38 state=present jump=ACCEPT