diff --git a/inventory/group_vars/osbs-orchestrators-stg b/inventory/group_vars/osbs-orchestrators-stg deleted file mode 100644 index ed97d539c0..0000000000 --- a/inventory/group_vars/osbs-orchestrators-stg +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/inventory/group_vars/osbs-stg b/inventory/group_vars/osbs-stg index e5650eed9a..0da2a9434f 100644 --- a/inventory/group_vars/osbs-stg +++ b/inventory/group_vars/osbs-stg @@ -1,145 +1,34 @@ --- +# Define resources for this group of hosts here. +lvm_size: 60000 +mem_size: 8192 +num_cpus: 2 -baseiptables: False +tcp_ports: [ 80, 443, 8443] fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran sudoers: "{{ private }}/files/sudo/00releng-sudoers" docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org" -stable_registry: "registry.stg.fedoraproject.org" -candidate_registry: "candidate-registry.stg.fedoraproject.org" +source_registry: "registry.stg.fedoraproject.org" +docker_registry: "candidate-registry.stg.fedoraproject.org" osbs_url: "osbs.stg.fedoraproject.org" -osbsworker_x86_64_url: "osbsworker-x86-64.stg.fedoraproject.org" +osbs_koji_username: "kojibuilder_stg" koji_url: "koji.stg.fedoraproject.org" -osbs_builder_user: builder -koji_builder_user: dockerbuilder - osbs_client_conf_path: /etc/osbs.conf - -# openshift-ansible variables - -# Need to use this special branch on my fork for stage until these are merged -# upstream and backported to the release-3.6 branch -# -# https://github.com/openshift/openshift-ansible/pull/5101 -# https://github.com/openshift/openshift-ansible/pull/5129 -oa_version: 3.6-add-dnf-support - -oa_ssh_user: root -oa_install_examples: false -oa_containerized_deploy: false -oa_auth_profile: osbs -oa_debug_level: 2 -oa_htpasswd_file: /etc/origin/htpasswd -origin_release: v3.6.0 - -osbs_koji_username: "kojibuilder_stg" - -openshift_home: /var/lib/origin -generated_config_path: /tmp - -osbs_admin: true - -osbs_orchestrator_service_accounts: -- worker -- orchestrator -- metrics - -os_cpu_limitrange: '200m' - -# FIXME - -osbs_orchestrator: false - -osbs_worker_namespace: "worker" -osbs_orchestrator_namespace: "osbs" - -osbs_worker_service_accounts: -- worker -- orchestrator - -worker_clusters: - x86_64: - - name: osbsworker-x86-64 - max_concurrent_builds: 12 - openshift_url: "https://{{ osbsworker_x86_64_url }}" - verify_ssl: 'false' - artifacts_allowed_domains: - - "{{stable_registry}}" - - "{{candidate_registry}}" - -koji_hub: "https://{{koji_url}}/kojihub" -koji_root: "https://{{koji_url}}/koji" - -osbs_pulp_registry_name: brew-prod - -osbs_registry_uri: "https://{{candidate_registry}}/v2" - -osbs_source_registry_uri: http://brew-pulp-docker01.web.prod.ext.phx2.redhat.com:8888 - -koji_secret_name: kojisecret -distribution_scope: public -authoritative_registry: "{{ stable_registry }}" -registry_api_versions: -- v2 -registry_secret_name: v2-registry-dockercfg -build_json_dir: /usr/share/osbs -sources_command: fedpkg sources -vendor: Fedora Project - -osbs_manage_firewalld: false - -kubeconfig_path: /etc/origin/master/admin.kubeconfig -osbs_env: - HOME: "{{ lookup('env', 'HOME') }}" - KUBECONFIG: "{{ osbs_kubeconfig_path }}" - -osbs_orchestrator_readonly_users: -- "system:serviceaccount:{{ osbs_orchestrator_namespace }}:metrics" -osbs_orchestrator_readonly_groups: -- "system:authenticated" -osbs_orchestrator_readwrite_groups: [] -osbs_orchestrator_readwrite_users: -- "{{ ansible_hostname }}" -- "system:serviceaccount:{{ osbs_orchestrator_namespace }}:default" -- "system:serviceaccount:{{ osbs_orchestrator_namespace }}:builder" - -osbs_worker_readonly_users: -- "system:serviceaccount:{{ osbs_worker_namespace }}:metrics" -osbs_worker_readonly_groups: -- "system:authenticated" -osbs_worker_readwrite_groups: [] -osbs_worker_readwrite_users: -- "{{ ansible_hostname }}" -- "system:serviceaccount:{{ osbs_worker_namespace }}:default" -- "system:serviceaccount:{{ osbs_worker_namespace }}:builder" - -os_admin_users: -- kevin -- puiterwijk -- maxamillion -- dgilmore -- kojibuilder_stg - -os_admin_groups: [] -osbs_nodes: "{{ groups['osbs-orchestrator-' + env + '-nodes'] }}" - -#nodeselectors -osbs_orchestrator_default_nodeselector: "orchestrator=true" -osbs_orchestrator_nodeselector_labels: "'orchestrator': 'true'" -osbs_worker_default_nodeselector: "worker=true" -osbs_worker_nodeselector_labels: "'worker': 'true'" - -# fedora container images required by buildroot -fedora_required_images: - - "fedora:latest" +baseiptables: False # docker images required by OpenShift Origin openshift_required_images: - "openshift/origin-pod" +# fedora container images required by buildroot +fedora_required_images: + - "fedora:latest" + nm_controlled_resolv: True + diff --git a/inventory/group_vars/osbsworker-masters-stg b/inventory/group_vars/osbsworker-masters-stg deleted file mode 100644 index e43099e455..0000000000 --- a/inventory/group_vars/osbsworker-masters-stg +++ /dev/null @@ -1,32 +0,0 @@ ---- -# Define resources for this group of hosts here. -lvm_size: 60000 -mem_size: 8192 -num_cpus: 2 - -tcp_ports: [ 80, 443, 8443] - -fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran -sudoers: "{{ private }}/files/sudo/00releng-sudoers" - -docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org" -source_registry: "registry.stg.fedoraproject.org" -docker_registry: "candidate-registry.stg.fedoraproject.org" - -osbs_url: "osbs.stg.fedoraproject.org" -osbs_koji_username: "kojibuilder_stg" - -koji_url: "koji.stg.fedoraproject.org" - -osbs_client_conf_path: /etc/osbs.conf - -openshift_node_labels: {'region':'infra'} -openshift_schedulable: False - -nagios_Check_Services: - nrpe: true - sshd: true - named: false - dhcpd: false - httpd: false - swap: false diff --git a/inventory/group_vars/osbsworker-nodes-stg b/inventory/group_vars/osbsworker-nodes-stg deleted file mode 100644 index 18c7761c26..0000000000 --- a/inventory/group_vars/osbsworker-nodes-stg +++ /dev/null @@ -1,31 +0,0 @@ ---- -# Define resources for this group of hosts here. -lvm_size: 60000 -mem_size: 8192 -num_cpus: 2 - -tcp_ports: [ 80, 443, 8443, 10250] - -fas_client_groups: sysadmin-releng,fi-apprentice,sysadmin-noc,sysadmin-veteran -sudoers: "{{ private }}/files/sudo/00releng-sudoers" - -docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org" -source_registry: "registry.stg.fedoraproject.org" -docker_registry: "candidate-registry.stg.fedoraproject.org" - -osbs_url: "osbs.stg.fedoraproject.org" -osbs_koji_username: "kojibuilder_stg" - -koji_url: "koji.stg.fedoraproject.org" - -osbs_client_conf_path: /etc/osbs.conf - -openshift_node_labels: {'region': 'primary', 'zone': 'default'} - -nagios_Check_Services: - nrpe: true - sshd: true - named: false - dhcpd: false - httpd: false - swap: false diff --git a/inventory/group_vars/osbsworker-x86-64-masters-stg b/inventory/group_vars/osbsworker-x86-64-masters-stg deleted file mode 100644 index 629928e5ba..0000000000 --- a/inventory/group_vars/osbsworker-x86-64-masters-stg +++ /dev/null @@ -1,10 +0,0 @@ ---- -# Define resources for this group of hosts here. -lvm_size: 60000 -mem_size: 8192 -num_cpus: 2 - -tcp_ports: [ 80, 443, 8443] - -openshift_node_labels: {'region':'infra'} -openshift_schedulable: False diff --git a/inventory/group_vars/osbsworker-x86-64-nodes-stg b/inventory/group_vars/osbsworker-x86-64-nodes-stg deleted file mode 100644 index 54de320771..0000000000 --- a/inventory/group_vars/osbsworker-x86-64-nodes-stg +++ /dev/null @@ -1,9 +0,0 @@ ---- -# Define resources for this group of hosts here. -lvm_size: 60000 -mem_size: 8192 -num_cpus: 2 - -tcp_ports: [ 80, 443, 8443, 10250] - -openshift_node_labels: {'region': 'primary', 'zone': 'default'} diff --git a/inventory/host_vars/osbsworker-x86-64-master01.stg.phx2.fedoraproject.org b/inventory/host_vars/osbsworker-x86-64-master01.stg.phx2.fedoraproject.org deleted file mode 100644 index ddfbba4a22..0000000000 --- a/inventory/host_vars/osbsworker-x86-64-master01.stg.phx2.fedoraproject.org +++ /dev/null @@ -1,19 +0,0 @@ ---- -nm: 255.255.255.0 -gw: 10.5.128.254 -dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26 -ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/ -volgroup: /dev/vg_guests -eth0_ip: 10.5.128.110 -vmhost: virthost05.phx2.fedoraproject.org -datacenter: phx2 -host_group: osbs-stg - -nrpe_procs_warn: 900 -nrpe_procs_crit: 1000 - -lvm_size: 120g -mem_size: 16384 -max_mem_size: 16384 -num_cpus: 4 diff --git a/inventory/host_vars/osbsworker-x86-64-node01.stg.phx2.fedoraproject.org b/inventory/host_vars/osbsworker-x86-64-node01.stg.phx2.fedoraproject.org deleted file mode 100644 index 56de138bae..0000000000 --- a/inventory/host_vars/osbsworker-x86-64-node01.stg.phx2.fedoraproject.org +++ /dev/null @@ -1,19 +0,0 @@ ---- -nm: 255.255.255.0 -gw: 10.5.128.254 -dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26 -ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/ -volgroup: /dev/vg_guests -eth0_ip: 10.5.128.111 -vmhost: virthost05.phx2.fedoraproject.org -datacenter: phx2 -host_group: osbs-nodes-stg - -nrpe_procs_warn: 900 -nrpe_procs_crit: 1000 - -lvm_size: 120g -mem_size: 16384 -max_mem_size: 16384 -num_cpus: 4 diff --git a/inventory/host_vars/osbsworker-x86-64-node02.stg.phx2.fedoraproject.org b/inventory/host_vars/osbsworker-x86-64-node02.stg.phx2.fedoraproject.org deleted file mode 100644 index b6f3831bbc..0000000000 --- a/inventory/host_vars/osbsworker-x86-64-node02.stg.phx2.fedoraproject.org +++ /dev/null @@ -1,19 +0,0 @@ ---- -nm: 255.255.255.0 -gw: 10.5.128.254 -dns: 10.5.126.21 -ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26 -ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/ -volgroup: /dev/vg_guests -eth0_ip: 10.5.128.112 -vmhost: virthost05.phx2.fedoraproject.org -datacenter: phx2 -host_group: osbs-nodes-stg - -nrpe_procs_warn: 900 -nrpe_procs_crit: 1000 - -lvm_size: 120g -mem_size: 16384 -max_mem_size: 16384 -num_cpus: 4 diff --git a/inventory/inventory b/inventory/inventory index 58ca1d5206..736f07c32c 100644 --- a/inventory/inventory +++ b/inventory/inventory @@ -828,9 +828,6 @@ osbs-control01.stg.phx2.fedoraproject.org osbs-master01.stg.phx2.fedoraproject.org osbs-node01.stg.phx2.fedoraproject.org osbs-node02.stg.phx2.fedoraproject.org -osbsworker-x86-64-master01.stg.phx2.fedoraproject.org -osbsworker-x86-64-node01.stg.phx2.fedoraproject.org -osbsworker-x86-64-node02.stg.phx2.fedoraproject.org docker-registry01.stg.phx2.fedoraproject.org docker-registry02.stg.phx2.fedoraproject.org docker-candidate-registry01.stg.phx2.fedoraproject.org @@ -1396,31 +1393,10 @@ osbs-master01.stg.phx2.fedoraproject.org osbs-node01.stg.phx2.fedoraproject.org osbs-node02.stg.phx2.fedoraproject.org -[osbsworker-x86-64-masters-stg] -osbsworker-x86-64-master01.stg.phx2.fedoraproject.org - -[osbsworker-x86-64-nodes-stg] -osbsworker-x86-64-node01.stg.phx2.fedoraproject.org -osbsworker-x86-64-node02.stg.phx2.fedoraproject.org - -[osbsworker-masters-stg:children] -osbsworker-x86-64-masters-stg - -[osbsworker-nodes-stg:children] -osbsworker-x86-64-nodes-stg - -[osbs-orchestrators-stg:children] -osbs-nodes-stg -osbs-masters-stg - -[osbs-workers-stg:children] -osbsworker-x86-64-nodes-stg -osbsworker-x86-64-masters-stg - [osbs-stg:children] osbs-control-stg -osbs-orchestrators-stg -osbs-workers-stg +osbs-masters-stg +osbs-nodes-stg [os-control-stg] os-control01.stg.phx2.fedoraproject.org diff --git a/playbooks/groups/osbs-cluster.yml b/playbooks/groups/osbs-cluster.yml index 4b0507b915..dbdd297fe0 100644 --- a/playbooks/groups/osbs-cluster.yml +++ b/playbooks/groups/osbs-cluster.yml @@ -1,9 +1,11 @@ # create an osbs server - import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs-control" +- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs-control-stg" - import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs-nodes:osbs-masters" +- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs-nodes-stg:osbs-masters-stg" - name: make the box be real - hosts: osbs-control:osbs-masters:osbs-nodes + hosts: osbs-control:osbs-masters:osbs-nodes:osbs-control-stg:osbs-masters-stg:osbs-nodes-stg user: root gather_facts: True @@ -31,7 +33,7 @@ - import_tasks: "{{ handlers_path }}/restart_services.yml" - name: OSBS control hosts pre-req setup - hosts: osbs-control + hosts: osbs-control:osbs-control-stg tags: - osbs-cluster-prereq user: root @@ -58,7 +60,7 @@ value: "True" - name: Setup cluster masters pre-reqs - hosts: osbs-masters + hosts: osbs-masters-stg:osbs-masters tags: - osbs-cluster-prereq user: root @@ -97,7 +99,7 @@ - name: Setup cluster hosts pre-reqs - hosts: osbs-masters:osbs-nodes + hosts: osbs-masters-stg:osbs-nodes-stg:osbs-masters:osbs-nodes tags: - osbs-cluster-prereq user: root @@ -159,7 +161,7 @@ dest: "/etc/sysconfig/docker-storage-setup" - name: Deploy kerberose keytab to cluster hosts - hosts: osbs-masters:osbs-nodes + hosts: osbs-masters-stg:osbs-nodes-stg:osbs-masters:osbs-nodes tags: - osbs-cluster-prereq user: root @@ -177,49 +179,80 @@ service: osbs host: "osbs.fedoraproject.org" when: env == "production" + - role: keytab/service + owner_user: root + owner_group: root + service: osbs + host: "osbs.stg.fedoraproject.org" + when: env == "staging" + +- name: Deploy OpenShift Cluster + hosts: osbs-control:osbs-control-stg + tags: + - osbs-deploy-openshift + user: root + gather_facts: True + + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - "/srv/private/ansible/vars.yml" + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - { + role: ansible-ansible-openshift-ansible, + cluster_inventory_filename: "cluster-inventory-stg", + openshift_htpasswd_file: "/etc/origin/htpasswd", + openshift_master_public_api_url: "https://{{ osbs_url }}:8443", + openshift_release: "v3.6.0", + openshift_ansible_path: "/root/openshift-ansible", + openshift_ansible_playbook: "playbooks/byo/config.yml", + openshift_ansible_version: "release-3.6-fedora-compat", + openshift_ansible_ssh_user: root, + openshift_ansible_install_examples: false, + openshift_ansible_containerized_deploy: false, + openshift_cluster_masters_group: "osbs-masters-stg", + openshift_cluster_nodes_group: "osbs-nodes-stg", + openshift_cluster_infra_group: "osbs-masters-stg", + openshift_auth_profile: "osbs", + openshift_cluster_url: "{{osbs_url}}", + openshift_master_ha: false, + openshift_debug_level: 2, + openshift_shared_infra: true, + openshift_deployment_type: "origin", + openshift_ansible_python_interpreter: "/usr/bin/python3", + when: env == 'staging', + tags: ['openshift-cluster','ansible-ansible-openshift-ansible'] + } + - { + role: ansible-ansible-openshift-ansible, + cluster_inventory_filename: "cluster-inventory", + openshift_htpasswd_file: "/etc/origin/htpasswd", + openshift_master_public_api_url: "https://{{ osbs_url }}:8443", + openshift_release: "v3.6.0", + openshift_ansible_path: "/root/openshift-ansible", + openshift_ansible_playbook: "playbooks/byo/config.yml", + openshift_ansible_version: "release-3.6-fedora-compat", + openshift_ansible_ssh_user: root, + openshift_ansible_install_examples: false, + openshift_ansible_containerized_deploy: false, + openshift_cluster_masters_group: "osbs-masters", + openshift_cluster_nodes_group: "osbs-nodes", + openshift_cluster_infra_group: "osbs-masters", + openshift_auth_profile: "osbs", + openshift_cluster_url: "{{osbs_url}}", + openshift_master_ha: false, + openshift_debug_level: 2, + openshift_shared_infra: true, + openshift_deployment_type: "origin", + openshift_ansible_python_interpreter: "/usr/bin/python3", + when: env == 'production', + tags: ['openshift-cluster','ansible-ansible-openshift-ansible'] + } -#- name: Deploy OpenShift Cluster -# hosts: osbs-control -# tags: -# - osbs-deploy-openshift -# user: root -# gather_facts: True -# -# vars_files: -# - /srv/web/infra/ansible/vars/global.yml -# - "/srv/private/ansible/vars.yml" -# - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml -# -# roles: -# - { -# role: ansible-ansible-openshift-ansible, -# cluster_inventory_filename: "cluster-inventory", -# openshift_htpasswd_file: "/etc/origin/htpasswd", -# openshift_master_public_api_url: "https://{{ osbs_url }}:8443", -# openshift_release: "v3.6.0", -# openshift_ansible_path: "/root/openshift-ansible", -# openshift_ansible_playbook: "playbooks/byo/config.yml", -# openshift_ansible_version: "release-3.6-fedora-compat", -# openshift_ansible_ssh_user: root, -# openshift_ansible_install_examples: false, -# openshift_ansible_containerized_deploy: false, -# openshift_cluster_masters_group: "osbs-masters", -# openshift_cluster_nodes_group: "osbs-nodes", -# openshift_cluster_infra_group: "osbs-masters", -# openshift_auth_profile: "osbs", -# openshift_cluster_url: "{{osbs_url}}", -# openshift_master_ha: false, -# openshift_debug_level: 2, -# openshift_shared_infra: true, -# openshift_deployment_type: "origin", -# openshift_ansible_python_interpreter: "/usr/bin/python3", -# when: env == 'production', -# tags: ['openshift-cluster','ansible-ansible-openshift-ansible'] -# } -# - name: Setup OSBS requirements for OpenShift cluster hosts - hosts: osbs-masters:osbs-nodes + hosts: osbs-masters-stg:osbs-nodes-stg:osbs-masters:osbs-nodes tags: - osbs-cluster-req user: root @@ -236,6 +269,26 @@ osbs_manage_firewalld: false, } - osbs-atomic-reactor + - { + role: push-docker, + docker_cert_name: "containerbuild", + docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org", + when: env == "staging" + } + - { + role: "manage-container-images", + cert_dest_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org", + cert_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.pem", + key_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.key", + when: env == "staging" + } + - { + role: "manage-container-images", + cert_dest_dir: "/etc/docker/certs.d/registry.stg.fedoraproject.org", + cert_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.pem", + key_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.key", + when: env == "staging" + } - { role: push-docker, docker_cert_name: "containerbuild", @@ -258,7 +311,7 @@ dest: "/etc/dnsmasq.d/fedora-dns.conf" - name: Setup requirements for OpenShift master - hosts: osbs-masters + hosts: osbs-masters-stg:osbs-masters tags: - osbs-master-req user: root @@ -270,6 +323,12 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml tasks: + - name: set policy for koji builder in openshift for osbs + shell: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_stg_username }} && touch /etc/origin/koji-builder-policy-added" + args: + creates: "/etc/origin/koji-builder-policy-added" + when: env == "staging" + - name: set policy for koji builder in openshift for osbs shell: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_prod_username }} && touch /etc/origin/koji-builder-policy-added" args: @@ -282,7 +341,7 @@ creates: "/etc/origin/atomic-reactor-policy-added" - name: Deploy OSBS on top of OpenShift - hosts: osbs-masters[0] + hosts: osbs-masters-stg[0]:osbs-masters[0] tags: - osbs-deploy-on-openshift user: root @@ -311,6 +370,26 @@ osbs_service_accounts: [], osbs_readonly_users: [], osbs_readonly_groups: [], + osbs_readwrite_users: ["{{ osbs_koji_stg_username }}"], + osbs_readwrite_groups: [ "system:authenticated"], + osbs_admin_users: [], + osbs_admin_groups: [], + osbs_docker_registry: false, + osbs_docker_registry_storage: "/opt/openshift-registry", + when: env == "staging" + } + - { + role: osbs-on-openshift, + osbs_openshift_home: "/var/lib/origin", + osbs_namespace: "default", + osbs_namespace_create: "false", + osbs_kubeconf_path: "/etc/origin/master/admin.kubeconfig", + osbs_environment: [ + KUBECONFIG: "{{ osbs_kubeconfig_path }}" + ], + osbs_service_accounts: [], + osbs_readonly_users: [], + osbs_readonly_groups: [], osbs_readwrite_users: ["{{ osbs_koji_prod_username }}"], osbs_readwrite_groups: [ "system:authenticated"], osbs_admin_users: [], @@ -335,7 +414,7 @@ environment: "{{ osbs_environment }}" - name: Manage docker images and image stream - hosts: osbs-masters[0] + hosts: osbs-masters-stg[0]:osbs-masters[0] tags: - osbs-post-install - manage-docker-images @@ -409,7 +488,7 @@ creates: /etc/origin/fedoraimagestreamcreated - name: post-install master host osbs tasks - hosts: osbs-masters + hosts: osbs-masters-stg:osbs-masters tags: - osbs-post-install vars_files: @@ -464,7 +543,7 @@ - name: post-install osbs tasks - hosts: osbs-masters:osbs-nodes + hosts: osbs-masters-stg:osbs-nodes-stg:osbs-masters:osbs-nodes tags: - osbs-post-install vars_files: @@ -496,6 +575,38 @@ shell: 'systemctl daemon-reload' roles: + - { + role: osbs-client, + general: { + verbose: 0, + build_json_dir: '/etc/osbs/input/', + openshift_required_version: 1.1.0, + }, + default: { + username: "{{ osbs_koji_stg_username }}", + password: "{{ osbs_koji_stg_password }}", + koji_use_kerberos: True, + koji_kerberos_keytab: "FILE:/etc/krb5.osbs_{{osbs_url}}.keytab", + koji_kerberos_principal: "osbs/{{osbs_url}}@{{ipa_realm}}", + openshift_url: 'https://{{osbs_url}}/', + registry_uri: 'https://{{docker_registry}}/v2', + source_registry_uri: 'https://{{source_registry}}/v2', + build_host: '{{osbs_url}}', + koji_root: 'https://{{koji_url}}/koji', + koji_hub: 'https://{{koji_url}}/kojihub', + sources_command: 'fedpkg sources', + build_type: 'prod', + authoritative_registry: 'registry.example.com', + vendor: 'Fedora Project', + verify_ssl: true, + use_auth: true, + builder_use_auth: true, + distribution_scope: 'private', + registry_api_versions: 'v2', + builder_openshift_url: 'https://{{osbs_url}}' + }, + when: env == "staging" + } - { role: osbs-client, general: { @@ -651,7 +762,7 @@ - name: Post-Install image stream refresh - hosts: osbs-masters[0] + hosts: osbs-masters[0]:osbs-masters-stg[0] tags: - osbs-post-install vars_files: @@ -661,9 +772,16 @@ - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml tasks: + - name: refresh fedora image streams + shell: "oc import-image fedora --all" + when: env == "staging" and hostvars[groups["osbs-masters-stg"][0]]["docker_pull_fedora"]|changed + - name: refresh fedora image streams shell: "oc import-image fedora --all" when: env == "production" and hostvars[groups["osbs-masters"][0]]["docker_pull_fedora"]|changed - name: enable nrpe for monitoring (noc01) iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT + +# - name: enable nrpe for monitoring (noc01.stg) +# iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=1#0.5.126.2 state=present jump=ACCEPT diff --git a/playbooks/groups/osbs-orchestrator-cluster.yml b/playbooks/groups/osbs-orchestrator-cluster.yml deleted file mode 100644 index 95ec027921..0000000000 --- a/playbooks/groups/osbs-orchestrator-cluster.yml +++ /dev/null @@ -1,839 +0,0 @@ -# create an osbs server -- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs-stg" - tags: - - make_boxes - -- name: make the box be real - hosts: osbs-stg - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - roles: - - base - - rkhunter - - nagios_client - - hosts - - fas_client - - collectd/base - - rsyncd - - sudo - - tasks: - - import_tasks: "{{ tasks_path }}/yumrepos.yml" - - import_tasks: "{{ tasks_path }}/2fa_client.yml" - - import_tasks: "{{ tasks_path }}/motd.yml" - - handlers: - - import_tasks: "{{ handlers_path }}/restart_services.yml" - -# Prepare the Control host to be able to run ansible-ansible-openshift-ansible -# against the Orchestration and Worker cluster machines -- name: OSBS control hosts pre-req setup - hosts: osbs-control-stg - tags: - - osbs-orchestrator-prereq - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - tasks: - - name: deploy private key to control hosts - copy: - src: "{{private}}/files/osbs/{{env}}/control_key" - dest: "/root/.ssh/id_rsa" - owner: root - mode: 0600 - - - name: set ansible to use pipelining - ini_file: - dest: /etc/ansible/ansible.cfg - section: ssh_connection - option: pipelining - value: "True" - - - name: Install necessary packages that openshift-ansible control host needs - package: name="{{ item }}" state=installed - with_items: - - ansible - - git - - python-passlib - - java-1.8.0-openjdk-headless - - httpd-tools - -# This section sets up the SSL Certs for "public facing" which is how Koji will -# interact with the OSBS Orchestration cluster. This is not needed on the worker -# clusters. -- name: Setup orchestrator cluster masters pre-reqs - hosts: osbs-masters-stg - tags: - - osbs-orchestrator-prereq - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - tasks: - - name: ensure origin conf dir exists - file: - path: "/etc/origin" - state: "directory" - - - name: create cert dir for openshift public facing REST API SSL - file: - path: "/etc/origin/master/named_certificates" - state: "directory" - - - name: install cert for openshift public facing REST API SSL - copy: - src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem" - dest: "/etc/origin/master/named_certificates/{{osbs_url}}.pem" - - - name: install key for openshift public facing REST API SSL - copy: - src: "{{private}}/files/osbs/{{env}}/osbs-internal.key" - dest: "/etc/origin/master/named_certificates/{{osbs_url}}.key" - - - name: place htpasswd file - copy: - src: "{{private}}/files/httpd/osbs-{{env}}.htpasswd" - dest: "{{ oa_htpasswd_file }}" - - -# This installs required pre-reqs and deploys the Controler's public key to all -# machines in both the Orchestrator and Worker clusters in order to allow -# ansible-ansible-openshift-ansible to be run against them -- name: Setup cluster hosts pre-reqs - hosts: osbs-orchestrators-stg:osbs-workers-stg - tags: - - osbs-orchestrator-prereq - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - handlers: - - name: restart NetworkManager - service: - name: NetworkManager - state: restarted - - roles: - - role: openshift-prerequisites - - tasks: - - name: Install necessary packages that openshift-ansible needs - package: name="{{ item }}" state=installed - with_items: - - tar - - rsync - - python3-dbus - - NetworkManager - - libselinux-python3 - - python3-PyYAML - - java-1.8.0-openjdk-headless - - - name: Deploy controller public ssh keys to osbs cluster hosts - authorized_key: - user: root - key: "{{ lookup('file', '{{private}}/files/osbs/{{env}}/control_key.pub') }}" - - # This is required for OpenShift built-in SkyDNS inside the overlay network - # of the cluster - - name: ensure NM_CONTROLLED is set to "yes" for osbs cluster - lineinfile: - dest: "/etc/sysconfig/network-scripts/ifcfg-eth0" - line: "NM_CONTROLLED=yes" - notify: - - restart NetworkManager - - # This is required for OpenShift built-in SkyDNS inside the overlay network - # of the cluster - - name: ensure NetworkManager is enabled and started - service: - name: NetworkManager - state: started - enabled: yes - - - name: cron entry to clean up docker storage - copy: - src: "{{files}}/osbs/cleanup-docker-storage" - dest: "/etc/cron.d/cleanup-docker-storage" - - - name: copy docker-storage-setup config - copy: - src: "{{files}}/osbs/docker-storage-setup" - dest: "/etc/sysconfig/docker-storage-setup" - when: env == "production" - - - name: copy docker-storage-setup config - copy: - src: "{{files}}/osbs/docker-storage-setup.staging" - dest: "/etc/sysconfig/docker-storage-setup" - when: env == "staging" - - -# This keytab needs to be on any system that is going to talk to koji and -# unfortunately, that's all of them. -- name: Deploy kerberose keytab to cluster hosts - hosts: osbs-masters-stg:osbs-nodes-stg:osbsworker-masters-stg:osbsworker-nodes-stg - tags: - - osbs-cluster-prereq - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - roles: - - role: keytab/service - owner_user: root - owner_group: root - service: osbs - host: "osbs.stg.fedoraproject.org" - when: env == "staging" - -- name: Deploy OpenShift Clusters - hosts: osbs-control-stg - tags: - - osbs-deploy-openshift - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - roles: - - role: ansible-ansible-openshift-ansible - cluster_inventory_filename: "orchestrator-cluster-inventory-stg" - openshift_htpasswd_file: "{{ oa_htpasswd_file }}" - openshift_master_public_api_url: "https://{{ osbs_url }}:8443" - openshift_release: "{{ origin_release }}" - openshift_ansible_path: "/root/openshift-ansible" - openshift_ansible_playbook: "playbooks/byo/config.yml" - openshift_ansible_version: "{{ oa_version }}" - openshift_ansible_ssh_user: "{{ oa_ssh_user }}" - openshift_ansible_install_examples: "{{ oa_install_examples }}" - openshift_ansible_containerized_deploy: "{{ oa_containerized_deploy }}" - openshift_cluster_masters_group: "osbs-masters-stg" - openshift_cluster_nodes_group: "osbs-nodes-stg" - openshift_cluster_infra_group: "osbs-masters-stg" - openshift_auth_profile: "{{ oa_auth_profile }}" - openshift_cluster_url: "{{ osbs_url }}" - openshift_master_ha: false - openshift_debug_level: "{{ oa_debug_level }}" - openshift_shared_infra: true - openshift_deployment_type: "origin" - openshift_metrics_deploy: true - openshift_ansible_python_interpreter: "/usr/bin/python3" - openshift_nodeselectors: "{{ osbs_orchestrator_nodeselector_labels }}" - when: env == 'staging' - tags: ['openshift-cluster','ansible-ansible-openshift-ansible'] - - - role: ansible-ansible-openshift-ansible - cluster_inventory_filename: "x86-64-worker-cluster-inventory-stg" - openshift_htpasswd_file: "{{ oa_htpasswd_file }}" - openshift_master_public_api_url: "https://{{ osbsworker_x86_64_url }}:8443" - openshift_release: "{{ origin_release }}" - openshift_ansible_path: "/root/openshift-ansible" - openshift_ansible_playbook: "playbooks/byo/config.yml" - openshift_ansible_version: "{{ oa_version }}" - openshift_ansible_ssh_user: "{{ oa_ssh_user }}" - openshift_ansible_install_examples: "{{ oa_install_examples }}" - openshift_ansible_containerized_deploy: "{{ oa_containerized_deploy }}" - openshift_cluster_masters_group: "osbsworker-x86-64-masters-stg" - openshift_cluster_nodes_group: "osbsworker-x86-64-nodes-stg" - openshift_cluster_infra_group: "osbsworker-x86-64-masters-stg" - openshift_auth_profile: "{{ oa_auth_profile }}" - openshift_cluster_url: "{{ osbsworker_x86_64_url }}" - openshift_master_ha: false - openshift_debug_level: "{{ oa_debug_level }}" - openshift_shared_infra: true - openshift_deployment_type: "origin" - openshift_metrics_deploy: true - openshift_ansible_python_interpreter: "/usr/bin/python3" - openshift_nodeselectors: "{{ osbs_worker_nodeselector_labels }}" - when: env == 'staging' - tags: ['openshift-cluster','ansible-ansible-openshift-ansible'] - -- name: Setup OSBS requirements for OpenShift cluster hosts - hosts: osbs-orchestrators-stg:osbs-workers-stg - tags: - - osbs-cluster-req - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - roles: - - role: osbs-common - osbs_manage_firewalld: false - - - role: osbs-atomic-reactor - - - role: push-docker - docker_cert_name: "containerbuild" - docker_cert_dir: "/etc/docker/certs.d/{{ candidate_registry }}" - when: env == "staging" - - # The images that come out of the builds need to be pushed somwhere - - role: "manage-container-images" - cert_dest_dir: "/etc/docker/certs.d/{{ candidate_registry }}" - cert_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.pem" - key_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.key" - when: env == "staging" - - handlers: - - name: restart dnsmasq - service: - name: dnsmasq - state: restarted - - tasks: - - - name: ensure dnsmasq is installed - package: - name: dnsmasq - state: latest - - - name: install fedora dnsmasq specific config - copy: - src: "{{files}}/osbs/fedora-dnsmasq.conf.{{env}}" - dest: "/etc/dnsmasq.d/fedora-dns.conf" - notify: - - restart dnsmasq - -- name: setup orchestrator namespace - hosts: osbs-masters-stg[0] - tags: - - osbs-cluster-req - - orchestrator-namespace - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - vars: - osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig - osbs_environment: - KUBECONFIG: "{{ osbs_kubeconfig_path }}" - koji_pki_dir: /etc/pki/koji - koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert" - koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem" - koji_builder_user: dockerbuilder - osbs_secret_name: kojisecret - osbs_secret_service_account: "{{ osbs_builder_user }}" - osbs_secret_remote_dir: /var/lib/origin - osbs_secret_can_fail: false - - roles: - - role: osbs-namespace - osbs_namespace: "{{ osbs_orchestrator_namespace }}" - osbs_openshift_home: "{{ openshift_home}}" - osbs_kubeconfig_path: "{{ kubeconfig_path }}" - osbs_generated_config_path: "{{ generated_config_path }}" - osbs_environmnet: "{{ osbs_env }}" - osbs_is_admin: "{{ osbs_admin }}" - osbs_service_accounts: "{{ osbs_orchestrator_service_accounts }}" - osbs_cpu_limitrange: "{{ os_cpu_limitrange }}" - osbs_admin_groups: "{{ os_admin_groups }}" - osbs_admin_users: "{{ os_admin_users }}" - osbs_readonly_groups: "{{ osbs_orchestrator_readonly_groups }}" - osbs_readonly_users: "{{ osbs_orchestrator_readonly_groups }}" - osbs_readwrite_groups: "{{ osbs_orchestrator_readwrite_groups }}" - osbs_readwrite_users: "{{ osbs_orchestrator_readwrite_users }}" - osbs_orchestrator: true - osbs_worker_clusters: "{{ worker_clusters }}" - osbs_koji_secret_name: "{{ koji_secret_name }}" - osbs_distribution_scope: "{{ distribution_scope }}" - osbs_authoritative_registry: "{{ authoritative_registry }}" - osbs_koji_hub: "{{ koji_hub }}" - osbs_koji_root: "{{ koji_root }}" - osbs_registry_api_versions: "{{ registry_api_versions }}" - osbs_registry_uri: "{{ candidate_registry }}" - osbs_source_registry_uri: "{{ stable_registry }}" - osbs_build_json_dir: "{{ build_json_dir }}" - osbs_sources_command: "fedpkg sources" - osbs_nodeselector: "{{ osbs_orchestrator_default_nodeselector|default('') }}" - -- name: setup worker namespace - hosts: osbsworker-x86-64-masters-stg[0] - tags: - - osbs-cluster-req - - worker-namespace - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - vars: - osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig - osbs_environment: - KUBECONFIG: "{{ osbs_kubeconfig_path }}" - koji_pki_dir: /etc/pki/koji - koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert" - koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem" - koji_builder_user: dockerbuilder - osbs_builder_user: builder - osbs_secret_name: kojisecret - osbs_secret_service_account: "{{ osbs_builder_user }}" - osbs_secret_remote_dir: /var/lib/origin - osbs_secret_can_fail: false - - roles: - - role: osbs-namespace - osbs_namespace: "{{ osbs_worker_namespace }}" - osbs_openshift_home: "{{ openshift_home}}" - osbs_kubeconfig_path: "{{ kubeconfig_path }}" - osbs_generated_config_path: "{{ generated_config_path }}" - osbs_environmnet: "{{ osbs_env }}" - osbs_is_admin: "{{ osbs_admin }}" - osbs_service_accounts: "{{ osbs_worker_service_accounts }}" - osbs_admin_groups: "{{ os_admin_groups }}" - osbs_admin_users: "{{ os_admin_users }}" - osbs_readonly_groups: "{{ osbs_worker_readonly_groups }}" - osbs_readonly_users: "{{ osbs_worker_readonly_groups }}" - osbs_readwrite_groups: "{{ osbs_worker_readwrite_groups }}" - osbs_readwrite_users: "{{ osbs_worker_readwrite_users }}" - osbs_orchestrator: false - osbs_worker_clusters: "{{ worker_clusters }}" - osbs_koji_secret_name: "{{ koji_secret_name }}" - osbs_distribution_scope: "{{ distribution_scope }}" - osbs_authoritative_registry: "{{ authoritative_registry }}" - osbs_koji_hub: "{{ koji_hub }}" - osbs_koji_root: "{{ koji_root }}" - osbs_registry_api_versions: "{{ registry_api_versions }}" - osbs_registry_uri: "{{ candidate_registry }}" - osbs_source_registry_uri: "{{ stable_registry }}" - osbs_build_json_dir: "{{ build_json_dir }}" - osbs_sources_command: "fedpkg sources" - osbs_cpu_limitrange: "{{ os_cpu_limitrange }}" - osbs_nodeselector: "{{ osbs_orchestrator_default_nodeselector|default('') }}" - -- name: Setup Koji auth for OSBS Orchestrator Cluster - hosts: osbs-masters-stg[0] - tags: - - osbs-master-req - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - - tasks: - - name: set policy for koji builder in openshift for osbs - shell: "oadm policy add-role-to-user -n {{ osbs_orchestrator_namespace }} edit htpasswd_provider: {{ osbs_koji_stg_username }} && touch /etc/origin/koji-builder-policy-added" - args: - creates: "/etc/origin/koji-builder-policy-added" - when: env == "staging" - - - name: set policy for koji builder in openshift for atomic-reactor - shell: "oadm policy add-role-to-user -n {{ osbs_orchestrator_namespace }} edit system:serviceaccount:{{osbs_orchestrator_namespace}}:{{osbs_builder_user}} && touch /etc/origin/atomic-reactor-policy-added" - args: - creates: "/etc/origin/atomic-reactor-policy-added" - -- name: Setup Koji auth for OSBS Worker Cluster - hosts: osbsworker-x86-64-masters-stg[0] - tags: - - osbs-master-req - user: root - gather_facts: True - - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - "/srv/private/ansible/vars.yml" - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - - tasks: - - name: set policy for koji builder in openshift for osbs - shell: "oadm policy add-role-to-user -n {{ osbs_worker_namespace }} edit htpasswd_provider: {{ osbs_koji_stg_username }} && touch /etc/origin/koji-builder-policy-added" - args: - creates: "/etc/origin/koji-builder-policy-added" - when: env == "staging" - - - name: set policy for koji builder in openshift for atomic-reactor - shell: "oadm policy add-role-to-user -n {{ osbs_worker_namespace }} edit system:serviceaccount:{{osbs_orchestrator_namespace}}:{{osbs_builder_user}} && touch /etc/origin/atomic-reactor-policy-added" - args: - creates: "/etc/origin/atomic-reactor-policy-added" - -- name: post-install orchestrator master host osbs tasks - hosts: osbs-masters-stg[0] - tags: - - osbs-post-install - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - /srv/private/ansible/vars.yml - - /srv/private/ansible/files/openstack/passwords.yml - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - vars: - osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig - osbs_environment: - KUBECONFIG: "{{ osbs_kubeconfig_path }}" - koji_pki_dir: /etc/pki/koji - koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert" - koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem" - koji_builder_user: dockerbuilder - osbs_builder_user: builder - - - handlers: - - name: oc secrets new - shell: "oc secrets new koji cert={{ koji_cert_path }} ca={{ koji_ca_cert_path }} serverca={{ koji_ca_cert_path }} --namespace={{ osbs_orchestrator_namespace }}" - environment: "{{ osbs_environment }}" - notify: oc secrets add - - - name: oc secrets add - shell: "oc secrets add serviceaccount/{{ osbs_builder_user }} secrets/koji --for=mount --namespace={{osbs_orchestrator_namespace}}" - environment: "{{ osbs_environment }}" - - tasks: - - name: Ensure koji dockerbuilder cert path exists - file: - path: "{{ koji_pki_dir }}" - state: "directory" - mode: 0400 - - - name: Add koji dockerbuilder cert for Content Generator import - copy: - src: "{{private}}/files/koji/containerbuild.pem" - dest: "{{ koji_cert_path }}" - notify: oc secrets new - - - name: Add koji dockerbuilder ca cert for Content Generator import - copy: - src: "{{private}}/files/koji/buildercerts/fedora-ca.cert" - dest: "{{ koji_ca_cert_path }}" - notify: oc secrets new - - - name: cron entry to clean up old builds - copy: - src: "{{files}}/osbs/cleanup-old-osbs-builds" - dest: "/etc/cron.d/cleanup-old-osbs-builds" - -- name: post-install worker master host osbs tasks - hosts: osbsworker-x86-64-masters-stg[0] - tags: - - osbs-post-install - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - /srv/private/ansible/vars.yml - - /srv/private/ansible/files/openstack/passwords.yml - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - vars: - osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig - osbs_environment: - KUBECONFIG: "{{ osbs_kubeconfig_path }}" - koji_pki_dir: /etc/pki/koji - koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert" - koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem" - koji_builder_user: dockerbuilder - osbs_builder_user: builder - - - handlers: - - name: oc secrets new - shell: "oc secrets new koji cert={{ koji_cert_path }} ca={{ koji_ca_cert_path }} serverca={{ koji_ca_cert_path }} --namespace={{osbs_worker_namespace}}" - environment: "{{ osbs_environment }}" - notify: oc secrets add - - - name: oc secrets add - shell: "oc secrets add serviceaccount/{{ osbs_builder_user }} secrets/koji --for=mount --namespace={{osbs_worker_namespace}}" - environment: "{{ osbs_environment }}" - - tasks: - - name: Ensure koji dockerbuilder cert path exists - file: - path: "{{ koji_pki_dir }}" - state: "directory" - mode: 0400 - - - name: Add koji dockerbuilder cert for Content Generator import - copy: - src: "{{private}}/files/koji/containerbuild.pem" - dest: "{{ koji_cert_path }}" - notify: oc secrets new - - - name: Add koji dockerbuilder ca cert for Content Generator import - copy: - src: "{{private}}/files/koji/buildercerts/fedora-ca.cert" - dest: "{{ koji_ca_cert_path }}" - notify: oc secrets new - - - name: cron entry to clean up old builds - copy: - src: "{{files}}/osbs/cleanup-old-osbs-builds" - dest: "/etc/cron.d/cleanup-old-osbs-builds" - -- name: Manage docker images and image stream - hosts: osbs-masters-stg[0]:osbsworker-x86-64-masters-stg[0] - tags: - - osbs-post-install - - manage-docker-images - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - /srv/private/ansible/vars.yml - - /srv/private/ansible/files/openstack/passwords.yml - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - vars: - osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig - osbs_environment: - KUBECONFIG: "{{ osbs_kubeconfig_path }}" - koji_pki_dir: /etc/pki/koji - koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert" - koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem" - koji_builder_user: dockerbuilder - - tasks: - # NOTE: Need to delegate to compose-x86-01.phx2.fedoraproject.org for prod - # because the push keys are split for each env - - name: skopeo sync openshift required docker images - shell: "skopeo copy docker://docker.io/{{item}}:{{origin_release}} docker://{{candidate_registry}}/{{item}}:{{origin_release}}" - with_items: "{{openshift_required_images}}" - delegate_to: composer.stg.phx2.fedoraproject.org - register: docker_pull_openshift_delegated - changed_when: "'Skipping fetch of repeat blob' not in docker_pull_openshift_delegated.stdout" - when: env == "staging" - - - name: create fedora image stream for OpenShift - shell: "echo '{ \"apiVersion\": \"v1\", \"kind\": \"ImageStream\", \"metadata\": { \"name\": \"fedora\" }, \"spec\": { \"dockerImageRepository\": \"{{candidate_registry}}/fedora\" } }' | oc create -f - && touch /etc/origin/fedoraimagestreamcreated" - environment: "{{ osbs_environment }}" - args: - creates: /etc/origin/fedoraimagestreamcreated - -- name: post-install osbs tasks - hosts: osbs-orchestrators-stg:osbs-workers-stg - tags: - - osbs-post-install - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - /srv/private/ansible/vars.yml - - /srv/private/ansible/files/openstack/passwords.yml - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - vars: - osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig - osbs_environment: - KUBECONFIG: "{{ osbs_kubeconfig_path }}" - koji_pki_dir: /etc/pki/koji - koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert" - koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem" - koji_builder_user: dockerbuilder - osbs_builder_user: builder - - - handlers: - - name: buildroot container - shell: 'docker rmi buildroot; docker build --no-cache --rm -t buildroot /etc/osbs/buildroot/' - - - name: restart docker - service: - name: docker - state: restarted - - - name: systemctl daemon-reload - shell: 'systemctl daemon-reload' - - roles: - - { - role: osbs-client, - general: { - verbose: 0, - build_json_dir: '/etc/osbs/input/', - openshift_required_version: 1.1.0, - }, - default: { - username: "{{ osbs_koji_stg_username }}", - password: "{{ osbs_koji_stg_password }}", - koji_use_kerberos: True, - koji_kerberos_keytab: "FILE:/etc/krb5.osbs_{{osbs_url}}.keytab", - koji_kerberos_principal: "osbs/{{osbs_url}}@{{ipa_realm}}", - openshift_url: 'https://{{osbs_url}}/', - registry_uri: 'https://{{candidate_registry}}/v2', - source_registry_uri: 'https://{{stable_registry}}/v2', - build_host: '{{osbs_url}}', - koji_root: '{{koji_root}}', - koji_hub: '{{koji_hub}}', - sources_command: 'fedpkg sources', - build_type: 'prod', - authoritative_registry: '{{stable_registry}}', - vendor: 'Fedora Project', - verify_ssl: true, - use_auth: true, - builder_use_auth: true, - distribution_scope: 'private', - registry_api_versions: 'v2', - builder_openshift_url: 'https://{{osbs_url}}', - namespace: 'osbs', - can_orchestrate: true - }, - when: env == "staging" - } - - tasks: - - name: copy docker iptables script - copy: - src: "{{files}}/osbs/fix-docker-iptables.{{ env }}" - dest: /usr/local/bin/fix-docker-iptables - mode: 0755 - notify: - - restart docker - - - name: copy docker service config - copy: - src: "{{files}}/osbs/docker.custom.service" - dest: /etc/systemd/system/docker.service.d/custom.conf - notify: - - systemctl daemon-reload - - restart docker - - - name: ensure docker is running - service: - name: docker - state: started - enabled: yes - - - name: set nrpe read access for osbs.conf for nagios monitoring - acl: name={{ osbs_client_conf_path }} entity=nrpe etype=user permissions=r state=present - - - name: Create buildroot container conf directory - file: - path: "/etc/osbs/buildroot/" - state: directory - - - name: Upload Dockerfile for buildroot container - template: - src: "{{ files }}/osbs/buildroot-Dockerfile-{{env}}.j2" - dest: "/etc/osbs/buildroot/Dockerfile" - mode: 0400 - notify: - - buildroot container - - - name: Upload internal CA for buildroot - copy: - src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem" - dest: "/etc/osbs/buildroot/ca.crt" - mode: 0400 - notify: - - buildroot container - - - name: stat infra repofile - stat: - path: "/etc/yum.repos.d/infra-tags.repo" - register: infra_repo_stat - - - name: stat /etc/osbs/buildroot/ infra repofile - stat: - path: "/etc/osbs/buildroot/infra-tags.repo" - register: etcosbs_infra_repo_stat - - - name: remove old /etc/osbs/buildroot/ infra repofile - file: - path: "/etc/osbs/buildroot/infra-tags.repo" - state: absent - when: etcosbs_infra_repo_stat.stat.exists and infra_repo_stat.stat.checksum != etcosbs_infra_repo_stat.stat.checksum - - - name: Copy repofile for buildroot container (because Docker) - copy: - src: "/etc/yum.repos.d/infra-tags.repo" - dest: "/etc/osbs/buildroot/infra-tags.repo" - remote_src: true - notify: - - buildroot container - when: etcosbs_infra_repo_stat.stat.exists == false - - - name: stat /etc/ keytab - stat: - path: "/etc/krb5.osbs_{{osbs_url}}.keytab" - register: etc_kt_stat - - - name: stat /etc/osbs/buildroot/ keytab - stat: - path: "/etc/osbs/buildroot/krb5.osbs_{{osbs_url}}.keytab" - register: etcosbs_kt_stat - - - name: remove old hardlink to /etc/osbs/buildroot/ keytab - file: - path: "/etc/osbs/buildroot/krb5.osbs_{{osbs_url}}.keytab" - state: absent - when: etcosbs_kt_stat.stat.exists and etc_kt_stat.stat.checksum != etcosbs_kt_stat.stat.checksum - - - name: Hardlink keytab for buildroot container (because Docker) - file: - src: "/etc/krb5.osbs_{{osbs_url}}.keytab" - dest: "/etc/osbs/buildroot/krb5.osbs_{{osbs_url}}.keytab" - state: hard - notify: - - buildroot container - when: etcosbs_kt_stat.stat.exists == false - - - name: pull openshift required docker images - shell: "docker pull {{candidate_registry}}/{{item}}:{{origin_release}}" - with_items: "{{openshift_required_images}}" - register: docker_pull_openshift - changed_when: "'Downloaded newer image' in docker_pull_openshift.stdout" - - - name: pull fedora required docker images - shell: "docker pull {{stable_registry}}/{{item}}" - with_items: "{{fedora_required_images}}" - register: docker_pull_fedora - changed_when: "'Downloaded newer image' in docker_pull_fedora.stdout" - - - name: tag openshift required docker images locally - shell: "docker tag {{candidate_registry}}/{{item}}:{{origin_release}} {{item}}:{{origin_release}}" - with_items: "{{openshift_required_images}}" - when: docker_pull_openshift|changed - - - set_fact: - docker_pull_openshift: "{{ docker_pull_openshift }}" - - -- name: Post-Install image stream refresh - hosts: osbs-masters-stg[0] - tags: - - osbs-post-install - vars_files: - - /srv/web/infra/ansible/vars/global.yml - - /srv/private/ansible/vars.yml - - /srv/private/ansible/files/openstack/passwords.yml - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml - - tasks: - - name: refresh fedora image streams - shell: "oc import-image fedora --all" - when: env == "staging" and hostvars[groups["osbs-masters-stg"][0]]["docker_pull_fedora"]|changed - - - name: enable nrpe for monitoring (noc01) - iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT - - - name: enable nrpe for monitoring (noc01.stg) - iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.128.38 state=present jump=ACCEPT