fa610eaed0
If you run these playbooks without any limit, The 4 master hosts (2
x86_64 and 2 aarch64) will be in the play, but they all use local_action
to make the local secrets file thats loaded. This means, whichever of
them happens to be writing the file last, thats the version of the file
that all 4 of them get. This is particularly bad when it's the staging
creds and the prod hosts get it loaded. :(
So, adding {{ env }} here makes the staging and prod versions seperate
so they don't step on each other.
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
168 lines
5.3 KiB
YAML
168 lines
5.3 KiB
YAML
- name: Create orchestrator namespace
|
|
hosts: osbs_masters_stg[0]:osbs_masters[0]
|
|
roles:
|
|
- role: osbs-namespace
|
|
osbs_orchestrator: true
|
|
osbs_worker_clusters: "{{ osbs_conf_worker_clusters }}"
|
|
osbs_cpu_limitrange: "{{ osbs_orchestrator_cpu_limitrange }}"
|
|
osbs_nodeselector: "{{ osbs_orchestrator_default_nodeselector|default('') }}"
|
|
osbs_sources_command: "{{ osbs_conf_sources_command }}"
|
|
osbs_readwrite_users: "{{ osbs_conf_readwrite_users }}"
|
|
osbs_service_accounts: "{{ osbs_conf_service_accounts }}"
|
|
koji_use_kerberos: true
|
|
koji_kerberos_keytab: "FILE:/etc/krb5.osbs_{{ osbs_url }}.keytab"
|
|
koji_kerberos_principal: "osbs/{{osbs_url}}@{{ ipa_realm }}"
|
|
tags:
|
|
- osbs-orchestrator-namespace
|
|
|
|
- name: setup reactor config secret in orchestrator namespace
|
|
hosts: osbs_masters_stg[0]:osbs_masters[0]
|
|
roles:
|
|
- role: osbs-secret
|
|
osbs_secret_name: reactor-config-secret
|
|
osbs_secret_files:
|
|
- source: "/tmp/{{ osbs_namespace }}-{{ env }}-reactor-config-secret.yml"
|
|
dest: config.yaml
|
|
tags:
|
|
- osbs-orchestrator-namespace
|
|
|
|
- name: setup client config secret in orchestrator namespace
|
|
hosts: osbs_masters_stg[0]:osbs_masters[0]
|
|
roles:
|
|
- role: osbs-secret
|
|
osbs_secret_name: client-config-secret
|
|
osbs_secret_files:
|
|
- source: "/tmp/{{ osbs_namespace }}-{{ env }}-client-config-secret.conf"
|
|
dest: osbs.conf
|
|
tags:
|
|
- osbs-orchestrator-namespace
|
|
|
|
- name: setup ODCS secret in orchestrator namespace
|
|
hosts: osbs_masters_stg[0]:osbs_masters[0]
|
|
vars_files:
|
|
- /srv/web/infra/ansible/vars/global.yml
|
|
- "/srv/private/ansible/vars.yml"
|
|
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
|
|
roles:
|
|
- role: osbs-secret
|
|
osbs_secret_name: odcs-oidc-secret
|
|
osbs_secret_files:
|
|
- source: "{{ private }}/files/osbs/{{ env }}/odcs-oidc-token"
|
|
dest: token
|
|
tags:
|
|
- osbs-orchestrator-namespace
|
|
|
|
- name: Save orchestrator token x86_64
|
|
hosts: osbs_masters_stg[0]:osbs_masters[0]
|
|
tasks:
|
|
- name: get orchestrator service account token
|
|
command: "oc -n {{ osbs_worker_namespace }} sa get-token orchestrator"
|
|
register: orchestator_token_x86_64
|
|
- name: save the token locally
|
|
local_action: >
|
|
copy
|
|
content="{{ orchestator_token_x86_64.stdout }}"
|
|
dest=/tmp/.orchestator-token-x86_64
|
|
mode=0400
|
|
tags:
|
|
- osbs-orchestrator-namespace
|
|
|
|
- name: setup orchestrator token for x86_64-osbs
|
|
hosts: osbs_masters_stg[0]:osbs_masters[0]
|
|
vars_files:
|
|
- /srv/web/infra/ansible/vars/global.yml
|
|
- "/srv/private/ansible/vars.yml"
|
|
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
|
|
roles:
|
|
- role: osbs-secret
|
|
osbs_secret_name: x86-64-orchestrator
|
|
osbs_secret_files:
|
|
- source: "/tmp/.orchestator-token-x86_64"
|
|
dest: token
|
|
|
|
post_tasks:
|
|
- name: Delete the temporary secret file
|
|
local_action: >
|
|
file
|
|
state=absent
|
|
path="/tmp/.orchestator-token-x86_64"
|
|
tags:
|
|
- osbs-orchestrator-namespace
|
|
|
|
- name: Save orchestrator token aarch64
|
|
hosts: osbs_aarch64_masters_stg[0]:osbs_aarch64_masters[0]
|
|
tasks:
|
|
- name: get orchestrator service account token
|
|
command: "oc -n {{ osbs_worker_namespace }} sa get-token orchestrator"
|
|
register: orchestator_token_aarch64
|
|
- name: save the token locally
|
|
local_action: >
|
|
copy
|
|
content="{{ orchestator_token_aarch64.stdout }}"
|
|
dest=/tmp/.orchestator-token-aarch64
|
|
mode=0400
|
|
tags:
|
|
- osbs-orchestrator-namespace
|
|
|
|
- name: setup orchestrator token for aarch64-osbs
|
|
hosts: osbs_masters_stg[0]:osbs_masters[0]
|
|
vars_files:
|
|
- /srv/web/infra/ansible/vars/global.yml
|
|
- "/srv/private/ansible/vars.yml"
|
|
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
|
|
roles:
|
|
- role: osbs-secret
|
|
osbs_secret_can_fail: true
|
|
osbs_secret_name: aarch64-orchestrator
|
|
osbs_secret_files:
|
|
- source: "/tmp/.orchestator-token-aarch64"
|
|
dest: token
|
|
|
|
post_tasks:
|
|
- name: Delete the temporary secret file
|
|
local_action: >
|
|
file
|
|
state=absent
|
|
path="/tmp/.orchestator-token-aarch64"
|
|
|
|
tags:
|
|
- osbs-orchestrator-namespace
|
|
|
|
- name: Add dockercfg secret to allow registry push orchestrator
|
|
hosts: osbs_masters_stg[0]:osbs_masters[0]
|
|
tags:
|
|
- osbs-dockercfg-secret
|
|
user: root
|
|
|
|
vars_files:
|
|
- /srv/web/infra/ansible/vars/global.yml
|
|
- "/srv/private/ansible/vars.yml"
|
|
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
|
|
|
|
pre_tasks:
|
|
- name: Create the username:password string needed by the template
|
|
set_fact:
|
|
auth_info_prod: "{{candidate_registry_osbs_prod_username}}:{{candidate_registry_osbs_prod_password}}"
|
|
auth_info_stg: "{{candidate_registry_osbs_stg_username}}:{{candidate_registry_osbs_stg_password}}"
|
|
|
|
- name: Create the dockercfg secret file
|
|
local_action: >
|
|
template
|
|
src="{{ files }}/osbs/dockercfg-{{env}}-secret.j2"
|
|
dest="/tmp/.dockercfg{{ env }}"
|
|
mode=0400
|
|
|
|
roles:
|
|
- role: osbs-secret
|
|
osbs_secret_name: "v2-registry-dockercfg"
|
|
osbs_secret_type: kubernetes.io/dockercfg
|
|
osbs_secret_files:
|
|
- source: "/tmp/.dockercfg{{ env }}"
|
|
dest: .dockercfg
|
|
|
|
post_tasks:
|
|
- name: Delete the temporary secret file
|
|
local_action: >
|
|
file
|
|
state=absent
|
|
path="/tmp/.dockercfg{{ env }}"
|