infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 7 Projects Releases Packages Wiki Activity Actions

add osbs w/ v2 registry support

Browse source
This commit is contained in:
Adam Miller 2016-01-14 10:12:13 -06:00 committed by Adam Miller
parent 1d1612b648
commit 03b4b85c3f
49 changed files with 1917 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

82
playbooks/hosts/osbs-dev.fedorainfracloud.org.yml
View file

@ -3,10 +3,10 @@
gather_facts: False
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/web/infra/ansible/vars/fedora-cloud.yml
- /srv/private/ansible/files/openstack/passwords.yml
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/web/infra/ansible/vars/fedora-cloud.yml
- /srv/private/ansible/files/openstack/passwords.yml
tasks:
- include: "{{ tasks }}/persistent_cloud.yml"
@ -14,12 +14,72 @@
- name: setup all the things
hosts: osbs-dev.fedorainfracloud.org
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/private/ansible/files/openstack/passwords.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/private/ansible/files/openstack/passwords.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
pre_tasks:
- include: "{{ tasks }}/cloud_setup_basic.yml"
- name: set hostname (required by some services, at least postfix need it)
shell: "hostname {{inventory_hostname}}"
- include: "{{ tasks }}/cloud_setup_basic.yml"
- name: set hostname (required by some services, at least postfix need it)
shell: "hostname {{inventory_hostname}}"
- name: setup osbs
hosts: osbs-dev.fedorainfracloud.org
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/private/ansible/files/openstack/passwords.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- osbs-atomic-reactor
- osbs-common
- osbs-install-openshift
- osbs-master
- {
role: osbs-client,
default.openshift_url: 'https://osbs-dev.fedorainfracloud.org:8443/',
default.registry_url: 'https://osbs-dev.fedorainfracloud.org:5000/v2',
default.source_registry_uri: 'https://osbs-dev.fedorainfracloud.org:5000/v2',
build_host: 'osbs-dev.fedorainfracloud.org'
}
- {
role: docker-distribution,
cert.private_path: "files/osbs/osbs-dev.certs",
cert.dir: "/etc/pki/docker/osbs-dev.fedorainfracloud.org:5000/",
cert.src_name: "osbs-dev.fedorainfracloud.org.crt",
cert.src_key_name: "osbs-dev.fedorainfracloud.org.key",
tls.enabled: True,
tls.certificate: "/etc/pki/docker/osbs-dev.fedorainfracloud.org:5000/ca.crt",
tls.key: "/etc/pki/docker/osbs-dev.fedorainfracloud.org:5000/ca.key",
}
- name: post-install osbs tasks
hosts: osbs-dev.fedorainfracloud.org
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/private/ansible/files/openstack/passwords.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- name: install docker
action: "{{ ansible_pkg_mgr }} name=docker-distribution state=installed"
- name: ensure docker daemon cert dir exists
file:
path: "/etc/docker/certs.d/"
state: directory
- name: create symlink for docker daemon cert
file:
src: "/etc/docker/certs.d/osbs.localdomain:5000"
dest: "/etc/pki/docker/osbs.localdomain:5000/"
state: "link"
- name: start and enable docker
service: name=docker state=started enabled=yes
- name: create fedora image stream for OpenShift
shell: 'cat <<"EOF" | oc create -f - { "apiVersion": "v1", "kind": "ImageStream", "metadata": { "name": "fedora" }, "spec": { "dockerImageRepository": "osbs-dev.fedorainfracloud.org:5000/fedora" } } EOF'

38
roles/docker-distribution/README.md Normal file
View file

@ -0,0 +1,38 @@
Role Name
=========
A brief description of the role goes here.
Requirements
------------
Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
Role Variables
--------------
A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
Dependencies
------------
A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
Example Playbook
----------------
Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
- hosts: servers
roles:
- { role: username.rolename, x: 42 }
License
-------
BSD
Author Information
------------------
An optional section for the role authors to include contact information, or a website (HTML is not allowed).

31
roles/docker-distribution/defaults/main.yml Normal file
View file

@ -0,0 +1,31 @@
---
# defaults file for docker-distribution
#
# where to put the config.yml on the remote machine
conf_path: /etc/docker-distribution/registry/config.yml
# Cert information to place certificate files on system
cert:
private_path: PRIVATE_PATH_TO_CERT_DIR
dir: "/etc/pki/docker/{{ ansible_fqdn }}:5000"
src_name: ca.crt
src_key_name: ca.key
dest_name: ca.crt
dest_key_name: ca.key
# Config directives
tls:
enabled: False
certificate: PATH_TO_CERT
key: PATH_TO_KEY
log:
fields:
service: registry
storage:
cache:
layerinfo: inmemory
filesystem:
rootdirectory: /var/lib/registry/
http:
addr: :5000

2
roles/docker-distribution/handlers/main.yml Normal file
View file

@ -0,0 +1,2 @@
---
# handlers file for docker-distribution

147
roles/docker-distribution/meta/main.yml Normal file
View file

@ -0,0 +1,147 @@
---
galaxy_info:
author: your name
description:
company: your company (optional)
# If the issue tracker for your role is not on github, uncomment the
# next line and provide a value
# issue_tracker_url: http://example.com/issue/tracker
# Some suggested licenses:
# - BSD (default)
# - MIT
# - GPLv2
# - GPLv3
# - Apache
# - CC-BY
license: license (GPLv2, CC-BY, etc)
min_ansible_version: 1.2
#
# Below are all platforms currently available. Just uncomment
# the ones that apply to your role. If you don't see your
# platform on this list, let us know and we'll get it added!
#
#platforms:
#- name: EL
# versions:
# - all
# - 5
# - 6
# - 7
#- name: GenericUNIX
# versions:
# - all
# - any
#- name: Solaris
# versions:
# - all
# - 10
# - 11.0
# - 11.1
# - 11.2
# - 11.3
#- name: Fedora
# versions:
# - all
# - 16
# - 17
# - 18
# - 19
# - 20
# - 21
# - 22
#- name: Windows
# versions:
# - all
# - 2012R2
#- name: SmartOS
# versions:
# - all
# - any
#- name: opensuse
# versions:
# - all
# - 12.1
# - 12.2
# - 12.3
# - 13.1
# - 13.2
#- name: Amazon
# versions:
# - all
# - 2013.03
# - 2013.09
#- name: GenericBSD
# versions:
# - all
# - any
#- name: FreeBSD
# versions:
# - all
# - 8.0
# - 8.1
# - 8.2
# - 8.3
# - 8.4
# - 9.0
# - 9.1
# - 9.1
# - 9.2
#- name: Ubuntu
# versions:
# - all
# - lucid
# - maverick
# - natty
# - oneiric
# - precise
# - quantal
# - raring
# - saucy
# - trusty
# - utopic
# - vivid
#- name: SLES
# versions:
# - all
# - 10SP3
# - 10SP4
# - 11
# - 11SP1
# - 11SP2
# - 11SP3
#- name: GenericLinux
# versions:
# - all
# - any
#- name: Debian
# versions:
# - all
# - etch
# - jessie
# - lenny
# - squeeze
# - wheezy
#
# Below are all categories currently available. Just as with
# the platforms above, uncomment those that apply to your role.
#
#categories:
#- cloud
#- cloud:ec2
#- cloud:gce
#- cloud:rax
#- clustering
#- database
#- database:nosql
#- database:sql
#- development
#- monitoring
#- networking
#- packaging
#- system
#- web
dependencies: []
# List your role dependencies here, one per line.
# Be sure to remove the '[]' above if you add dependencies
# to this list.

32
roles/docker-distribution/tasks/main.yml Normal file
View file

@ -0,0 +1,32 @@
---
# tasks file for docker-distribution
- name: install docker-distribution
action: "{{ ansible_pkg_mgr }} name=docker-distribution state=installed"
- name: start and enable docker-distribution
service: name=docker-distribution state=started enabled=yes
- name: configure docker-distribution
template:
src: config.yml.j2
dest: "{{ conf_path }}"
- name: ensure docker certs dir exists
file:
path: "{{ cert_dir }}"
state: directory
when: tls.enabled == True
- name: install tls cert for docker
copy:
src: "{{ private }}/{{ cert.private_path }}/{{ cert.src_name }}"
dest: "{{ cert.dir }}/{{ cert.dest_name }}"
when: tls.enabled == True
- name: install tls key for docker
copy:
src: "{{ private }}/{{ cert.private_path}}/{{ cert.src_key_name }}"
dest: "{{ cert.dir}}/{{ cert.dest_key_name }}"
when: tls.enabled == True

16
roles/docker-distribution/templates/config.yml.j2 Normal file
View file

@ -0,0 +1,16 @@
version: 0.1
log:
fields:
service: {{ log.fields.service }}
storage:
cache:
layerinfo: {{ storage.cache.layerinfo }}
filesystem:
rootdirectory: {{ storage.filesystem.rootdirectory }}
http:
addr: {{ http.addr }}
tls:
certificate: {{ tls.certificate }}
key: {{ tls.key }}

2
roles/docker-distribution/vars/main.yml Normal file
View file

@ -0,0 +1,2 @@
---
# vars file for docker-distribution

76
roles/osbs-atomic-reactor/README.md Normal file
View file

@ -0,0 +1,76 @@
atomic-reactor
==============
This role obtains
[atomic-reactor](https://github.com/projectatomic/atomic-reactor) docker image
to be used in [OSBS (OpenShift build
service)](https://github.com/projectatomic/osbs-client).
This role is part of
[ansible-osbs](https://github.com/projectatomic/ansible-osbs/) playbook for
deploying OpenShift build service. Please refer to that github repository for
[documentation](https://github.com/projectatomic/ansible-osbs/blob/master/README.md)
and [issue tracker](https://github.com/projectatomic/ansible-osbs/issues).
Role Variables
--------------
`atomic_reactor_source` determines the means of obtaining the There are
currently two methods to obtain the image, `pull` and `git`. The `pull` method
simply pulls the image from a given registry. The `git` method builds the image
by running `docker build` on given git repository.
atomic_reactor_source: pull
When `atomic_reactor_source` is set to `pull`, you need to provide
`atomic_reactor_pull` dictionary such as the following:
atomic_reactor_pull:
registry: registry.hub.docker.com
image: slavek/atomic-reactor:latest
When `atomic_reactor_source` is set to `git`, you need to provide
`atomic_reactor_git` dictionary such as the following:
atomic_reactor_git:
# base image source to be pulled (optional)
base_registry: registry.hub.docker.com
base_image: library/fedora:latest
# allow retagging the base image to match FROM in Dockerfile (optional)
base_image_retag: fedora:latest
# Dockerfile source
git_url: https://github.com/projectatomic/atomic-reactor.git
git_branch: master
git_subdir: ""
git_local_path: "{{ ansible_env.HOME }}/atomic-reactor-buildroot"
OSBS expects the build image to be named `buildroot`. This name can be changed
by setting the `atomic_reactor_tag` variable.
atomic_reactor_tag: buildroot
Dependencies
------------
Docker needs to be installed on the remote host.
Example Playbook
----------------
In default configuration the role pulls the image from
[slavek/atomic-reactor](https://hub.docker.com/r/slavek/atomic-reactor/)
repository on docker hub.
- hosts: builders
roles:
- atomic-reactor
License
-------
BSD
Author Information
------------------
Martin Milata &lt;mmilata@redhat.com&gt;

31
roles/osbs-atomic-reactor/defaults/main.yml Normal file
View file

@ -0,0 +1,31 @@
---
# OSBS expects the build image to be named buildroot
atomic_reactor_tag: buildroot
# Method to obtain atomic-reactor image, currently supported are:
# pull - pull the image from a registry
# git - build the image from git repository
# rpm - build the image from the local bundled rpm sources
atomic_reactor_source: rpm
# Configuration for atomic_reactor_source == pull
atomic_reactor_pull:
registry: registry.hub.docker.com
image: slavek/atomic-reactor:latest
# Configuration for atomic_reactor_source == git
atomic_reactor_git:
# base image source
base_registry: registry.hub.docker.com
base_image: library/fedora:latest
# allow retagging the base image to match FROM in Dockerfile
base_image_retag: fedora:latest
# Dockerfile source
git_url: https://github.com/projectatomic/atomic-reactor.git
git_branch: master
git_subdir: ""
git_local_path: "{{ ansible_env.HOME }}/atomic-reactor-buildroot"
atomic_reactor_rpm:
copr: True
buildroot_cmd: atomic-reactor create-build-image --reactor-tarball-path /usr/share/atomic-reactor/atomic-reactor.tar.gz /usr/share/atomic-reactor/images/dockerhost-builder buildroot

8
roles/osbs-atomic-reactor/files/maxamillion-atomic-reactor.repo Normal file
View file

@ -0,0 +1,8 @@
[maxamillion-atomic-reactor]
name=Copr repo for atomic-reactor owned by maxamillion
baseurl=https://copr-be.cloud.fedoraproject.org/results/maxamillion/atomic-reactor/fedora-$releasever-$basearch/
skip_if_unavailable=True
gpgcheck=1
gpgkey=https://copr-be.cloud.fedoraproject.org/results/maxamillion/atomic-reactor/pubkey.gpg
enabled=1
enabled_metadata=1

3
roles/osbs-atomic-reactor/handlers/main.yml Normal file
View file

@ -0,0 +1,3 @@
---
- name: rebuild buildroot
shell: {{ atomic_reactor_rpm.buildroot_cmd }}

21
roles/osbs-atomic-reactor/meta/main.yml Normal file
View file

@ -0,0 +1,21 @@
---
galaxy_info:
author: Martin Milata
description: Pull or build atomic-reactor docker image to be used in OSBS (OpenShift build service).
company: Red Hat
issue_tracker_url: https://github.com/projectatomic/ansible-osbs/issues
license: BSD
min_ansible_version: 1.2
platforms:
- name: EL
versions:
- 7
- name: Fedora
versions:
- 21
- 22
categories:
- cloud
- development
- packaging
dependencies: []

9
roles/osbs-atomic-reactor/tasks/main.yml Normal file
View file

@ -0,0 +1,9 @@
---
- include: source_pull.yml
when: atomic_reactor_source == 'pull'
- include: source_git.yml
when: atomic_reactor_source == 'git'
- include: source_rpm.yml
when: atomic_reactor_source == 'rpm'

26
roles/osbs-atomic-reactor/tasks/source_git.yml Normal file
View file

@ -0,0 +1,26 @@
---
- name: pull base image
command: docker pull {{ atomic_reactor_git.base_registry }}/{{ atomic_reactor_git.base_image }}
when: atomic_reactor_git.base_image is defined
- name: tag base image
command: docker tag -f {{ atomic_reactor_git.base_registry }}/{{ atomic_reactor_git.base_image }} {{ atomic_reactor_git.base_image_retag }}
when: atomic_reactor_git.base_image_retag is defined
- name: pull git repository with Dockerfile
git:
repo: "{{ atomic_reactor_git.git_url }}"
dest: "{{ atomic_reactor_git.git_local_path }}"
version: "{{ atomic_reactor_git.git_branch }}"
accept_hostkey: yes
register: dockerfile_git_repo
- name: check if atomic-reactor image is present
command: docker inspect {{ atomic_reactor_tag }}
register: image_present
failed_when: image_present.rc != 0 and ('No such image' not in image_present.stderr)
changed_when: image_present.rc != 0
- name: build atomic-reactor image
command: docker build --no-cache=true --tag={{ atomic_reactor_tag }} {{ atomic_reactor_git.git_local_path }}/{{ atomic_reactor_git.git_subdir }}
when: dockerfile_git_repo.changed or image_present.changed

8
roles/osbs-atomic-reactor/tasks/source_pull.yml Normal file
View file

@ -0,0 +1,8 @@
---
- name: pull atomic-reactor image
command: docker pull {{ atomic_reactor_pull.registry }}/{{ atomic_reactor_pull.image }}
register: pull_image
- name: tag atomic-reactor image
command: docker tag -f {{ atomic_reactor_pull.registry }}/{{ atomic_reactor_pull.image }} {{ atomic_reactor_tag }}
when: pull_image.changed

11
roles/osbs-atomic-reactor/tasks/source_rpm.yml Normal file
View file

@ -0,0 +1,11 @@
---
- name: setup COPR repository for atomic-reactor builds
copy:
src: maxamillion-atomic-reactor-fedora.repo
dest: /etc/yum.repos.d/maxamillion-atomic-reactor-fedora.repo
when: atomic_reactor_rpm.copr == True
- name: install atomic-reactor package locally
action: "{{ ansible_pkg_mgr }} name=atomic-reactor state=latest"
notify:
- rebuild buildroot

32
roles/osbs-client/defaults/main.yml Normal file
View file

@ -0,0 +1,32 @@
---
# defaults file for osbs-client
#
# config file path
osbs_client_conf_path: /etc/osbs.conf
# Settings for the [general] section of the osbs.conf file
general:
verbose: 1
build_json_dir: /usr/share/osbs/
openshift_required_version: 1.0.8
# Settings for the [default] section of the osbs.conf file
default:
openshift_url: https://osbs.localdomain:8443/
koji_root: http://koji.fedoraproject.org/koji
koji_hub: http://koji.fedoraproject.org/kojihub
sources_command: fedpkg sources
build_type: prod
registry_uri: https://osbs.localdomain:5000/v2
source_registry_uri: https://osbs.localdomain:5000/v2
authoritative_registry: registry.example.com
vendor: Fedora Project
build_host: osbs.localdomain
verify_ssl: false
use_auth: false
builder_use_auth: true
distribution_scope: private
registry_api_versions: v2
builder_openshift_url: https://172.17.0.1:8443/

9
roles/osbs-client/tasks/main.yml Normal file
View file

@ -0,0 +1,9 @@
---
# tasks file for osbs-client
- name: install osbs-client package
action: "{{ ansible_pkg_mgr }} name=osbs-client state=installed"
- name: apply osbs-client templated config
template: src=osbs.conf.j3 dest={{ osbs_client_conf_path }}

22
roles/osbs-client/templates/osbs.conf.j2 Normal file
View file

@ -0,0 +1,22 @@
[general]
verbose= {{ general.verbose }}
build_json_dir = {{ general.build_json_dir }}
openshift_required_version = {{ general.openshift_required_version }}
[default]
openshift_url = {{ default.openshift_url }}
koji_root = {{ default.koji_root }}
koji_hub = {{ default.koji_hub }}
sources_command = {{ default.sources_command }}
build_type = {{ default.build_type }}
registry_uri = {{ default.registry_uri }}
source_registry_uri = {{ default.source_registry_uri }}
authoritative_registry = {{ default.authoritative_registry }}
vendor = {{ default.vendor }}
build_host = {{ default.build_host }}
verify_ssl = {{ default.verify_ssl }}
use_auth = {{ default.use_auth }}
builder_use_auth = {{ default.builder_use_auth }}
distribution_scope = {{ default.distribution_scope }}
registry_api_versions = {{ default.registry_api_versions }}
builder_openshift_url = {{ default.builder_use_auth }}

6
roles/osbs-common/defaults/main.yml Normal file
View file

@ -0,0 +1,6 @@
---
# set hostname of the machine
#hostname: example.org
# set to false if you don't use firewalld or do not want the playbook to modify it
osbs_manage_firewalld: true

37
roles/osbs-common/tasks/main.yml Normal file
View file

@ -0,0 +1,37 @@
---
- name: set hostname
hostname: name={{ hostname }}
when: hostname is defined
- name: install basic packages
action: "{{ ansible_pkg_mgr }} name={{ item }} state=installed"
with_items:
- vim
- tmux
- wget
- git
- net-tools
- tree
- name: install yum-utils when using yum
yum: name=yum-utils state=installed
when: ansible_pkg_mgr == "yum"
- name: enable rhel7 repos
command: yum-config-manager --enable {{ item }}
with_items:
- rhel-7-server-optional-rpms
- rhel-7-server-extras-rpms
when: ansible_distribution == 'RedHat' and ansible_distribution_major_version == '7'
- name: enable epel7
yum: name={{ epel7_url }} state=installed
when: ansible_os_family == 'RedHat' and ansible_distribution_major_version == '7'
- name: install firewalld
action: "{{ ansible_pkg_mgr }} name=firewalld state=installed"
when: osbs_manage_firewalld
- name: enable firewalld
service: name=firewalld state=started enabled=yes
when: osbs_manage_firewalld

2
roles/osbs-common/vars/main.yml Normal file
View file

@ -0,0 +1,2 @@
---
epel7_url: http://download.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm

58
roles/osbs-install-openshift/README.md Normal file
View file

@ -0,0 +1,58 @@
install-openshift
=================
Installs OpenShift v3 from various sources. Currently supports installing RPM
from COPR and building and installing the RPM from source code.
This role is part of
[ansible-osbs](https://github.com/projectatomic/ansible-osbs/) playbook for
deploying OpenShift build service. Please refer to that github repository for
[documentation](https://github.com/projectatomic/ansible-osbs/blob/master/README.md)
and [issue tracker](https://github.com/projectatomic/ansible-osbs/issues).
Role Variables
--------------
You need to specify which method of installation you want to use. Valid options
are `copr` (default) and `source`.
install_openshift_method: copr
You must specify particular version that should be installed from the COPR.
Can be in either `version` or `version-release` format.
install_openshift_copr_version: 1.0.5
When building from source, you need to specify the version of the built package.
install_openshift_source_version: 1.0.5
Git commit to build packages from.
install_openshift_source_commit: c66613fded194b10ce4e4e1c473fbfc0a511405b
File name of the tarball to be downloaded from github.
install_openshift_source_archive: openshift-{{ install_openshift_source_commit }}.tar.gz
Directory for rpmbuild.
install_openshift_source_rpmbuild_dir: "{{ ansible_env.HOME }}/rpmbuild"
Example Playbook
----------------
- hosts: builders
roles:
- role: install-openshift
install_openshift_method: copr
License
-------
BSD
Author Information
------------------
Martin Milata &lt;mmilata@redhat.com&gt;

26
roles/osbs-install-openshift/defaults/main.yml Normal file
View file

@ -0,0 +1,26 @@
---
# methods: copr, source
install_openshift_method: copr
# copr-specific variables
# specify particular version that should be installed from copr
# can be either VERSION or VERSION-RELEASE
install_openshift_copr_version: 1.0.8
# variables for source build
# version of the built package
install_openshift_source_version: 1.0.5
# git commit to build package from
install_openshift_source_commit: c66613fded194b10ce4e4e1c473fbfc0a511405b
# name of the tarball to download from github
install_openshift_source_archive: openshift-{{ install_openshift_source_commit }}.tar.gz
# rpmbuild directory
install_openshift_source_rpmbuild_dir: "{{ ansible_env.HOME }}/rpmbuild"
# update package from copr to the latest version?
osbs_update_packages: false

1
roles/osbs-install-openshift/meta/.galaxy_install_info Normal file
View file

@ -0,0 +1 @@
{install_date: 'Thu Jan 7 17:30:46 2016', version: master}

21
roles/osbs-install-openshift/meta/main.yml Normal file
View file

@ -0,0 +1,21 @@
---
galaxy_info:
author: Martin Milata
description: Install OpenShift v3 from various sources
company: Red Hat
issue_tracker_url: https://github.com/projectatomic/ansible-osbs/issues
license: BSD
min_ansible_version: 1.2
platforms:
- name: EL
versions:
- 7
- name: Fedora
versions:
- 21
- 22
categories:
- cloud
- development
- packaging
dependencies: []

6
roles/osbs-install-openshift/tasks/main.yml Normal file
View file

@ -0,0 +1,6 @@
---
- include: method_copr.yml
when: install_openshift_method == 'copr'
- include: method_source.yml
when: install_openshift_method == 'source'

11
roles/osbs-install-openshift/tasks/method_copr.yml Normal file
View file

@ -0,0 +1,11 @@
---
- name: setup repository
template:
src: maxamillion-fedora-openshift.repo.j2
dest: /etc/yum.repos.d/maxamillion-fedora-openshift.repo
- name: install openshift
action: "{{ ansible_pkg_mgr }} name={{ item }} state={{ osbs_update_packages | ternary('latest', 'present') }}"
with_items:
- origin-master
- origin-node

58
roles/osbs-install-openshift/tasks/method_source.yml Normal file
View file

@ -0,0 +1,58 @@
---
- name: install build packages
action: "{{ ansible_pkg_mgr }} name={{ item }} state=installed"
with_items:
- rpm-build
- rpmdevtools
- name: install build packages
yum: name=yum-utils state=installed
when: ansible_pkg_mgr == "yum"
- name: delete rpmbuild directories
file: path={{ install_openshift_source_rpmbuild_dir }}/{{ item }}/ state=absent
with_items:
- RPMS
- SRPMS
- BUILD
- BUILDROOT
- name: create rpmbuild directories
file: path={{ install_openshift_source_rpmbuild_dir }}/{{ item }}/ state=directory recurse=yes
with_items:
- SPECS
- SOURCES
- name: upload SPEC
template: src=openshift.spec.j2 dest={{ install_openshift_source_rpmbuild_dir }}/SPECS/openshift.spec
- name: install build dependencies
command: yum-builddep -y {{ install_openshift_source_rpmbuild_dir }}/SPECS/openshift.spec
when: ansible_pkg_mgr == "yum"
- name: install build dependencies
command: dnf builddep -y {{ install_openshift_source_rpmbuild_dir }}/SPECS/openshift.spec
when: ansible_pkg_mgr == "dnf"
- name: download openshift tarball
get_url:
url: https://github.com/openshift/origin/archive/{{ install_openshift_source_commit }}/{{ install_openshift_source_archive }}
dest: "{{ install_openshift_source_rpmbuild_dir }}/SOURCES/{{ install_openshift_source_archive }}"
- name: run build
command: rpmbuild -bb --clean {{ install_openshift_source_rpmbuild_dir }}/SPECS/openshift.spec
- name: find the RPMs
command: find {{ install_openshift_source_rpmbuild_dir }}/RPMS/ -type f
register: find_rpms
- name: install the RPMs
shell: yum -y localinstall {{ install_openshift_source_rpmbuild_dir }}/RPMS/x86_64/*openshift*.rpm
when: ansible_pkg_mgr == "yum"
- name: install the RPMs
shell: dnf -y install {{ install_openshift_source_rpmbuild_dir }}/RPMS/x86_64/*openshift*.rpm
when: ansible_pkg_mgr == "dnf"
- name: link /etc/openshift to /etc/origin
file: path=/etc/openshift src=/etc/origin state=link

8
roles/osbs-install-openshift/templates/maxamillion-fedora-openshift.repo.j2 Normal file
View file

@ -0,0 +1,8 @@
[maxamillion-fedora-openshift]
name=Copr repo for fedora-openshift owned by maxamillion
baseurl=https://copr-be.cloud.fedoraproject.org/results/maxamillion/fedora-openshift/{{ (ansible_distribution == "Fedora") | ternary("fedora", "epel") }}-{{ ansible_distribution_major_version }}-$basearch/
skip_if_unavailable=True
gpgcheck=1
gpgkey=https://copr-be.cloud.fedoraproject.org/results/maxamillion/fedora-openshift/pubkey.gpg
enabled=1

337
roles/osbs-install-openshift/templates/openshift.spec.j2 Normal file
View file

@ -0,0 +1,337 @@
#debuginfo not supported with Go
%global debug_package %{nil}
%global gopath %{_datadir}/gocode
%global import_path github.com/openshift/origin
%global kube_plugin_path /usr/libexec/kubernetes/kubelet-plugins/net/exec/redhat~openshift-ovs-subnet
%global sdn_import_path github.com/openshift/openshift-sdn
# docker_version is the version of docker requires by packages
%global docker_verison 1.6.2
# tuned_version is the version of tuned requires by packages
%global tuned_version 2.3
# openvswitch_version is the version of openvswitch requires by packages
%global openvswitch_version 2.3.1
# %commit and %ldflags are intended to be set by tito custom builders provided
# in the rel-eng directory. The values in this spec file will not be kept up to date.
%{!?commit:
%global commit {{ openshift_commit }}
}
%global shortcommit %(c=%{commit}; echo ${c:0:7})
# OpenShift specific ldflags from hack/common.sh os::build:ldflags
%{!?ldflags:
%global ldflags -X github.com/openshift/origin/pkg/version.majorFromGit 1 -X github.com/openshift/origin/pkg/version.minorFromGit 0+ -X github.com/openshift/origin/pkg/version.versionFromGit v1.0.4-366-gc66613f-dirty -X github.com/openshift/origin/pkg/version.commitFromGit {{ openshift_commit | truncate(7, True, '') }} -X k8s.io/kubernetes/pkg/version.gitCommit 44c91b1 -X k8s.io/kubernetes/pkg/version.gitVersion v1.1.0-alpha.0-1605-g44c91b1
}
Name: openshift
# Version is not kept up to date and is intended to be set by tito custom
# builders provided in the rel-eng directory of this project
Version: {{ openshift_version }}
Release: 0%{?dist}
Summary: Open Source Platform as a Service by Red Hat
License: ASL 2.0
URL: https://%{import_path}
ExclusiveArch: x86_64
Source0: https://%{import_path}/archive/%{commit}/%{name}-%{commit}.tar.gz
BuildRequires: systemd
BuildRequires: golang >= 1.4
%description
%{summary}
%package master
Summary: OpenShift Master
Requires: %{name} = %{version}-%{release}
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
%description master
%{summary}
%package node
Summary: OpenShift Node
Requires: %{name} = %{version}-%{release}
Requires: docker-io >= %{docker_version}
Requires: tuned-profiles-%{name}-node
Requires: util-linux
Requires: socat
Requires: nfs-utils
Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
%description node
%{summary}
%package -n tuned-profiles-%{name}-node
Summary: Tuned profiles for OpenShift Node hosts
Requires: tuned >= %{tuned_version}
Requires: %{name} = %{version}-%{release}
%description -n tuned-profiles-%{name}-node
%{summary}
%package clients
Summary: Openshift Client binaries for Linux, Mac OSX, and Windows
BuildRequires: golang-pkg-darwin-amd64
BuildRequires: golang-pkg-windows-386
%description clients
%{summary}
%package dockerregistry
Summary: Docker Registry v2 for OpenShift
Requires: %{name} = %{version}-%{release}
%description dockerregistry
%{summary}
%package pod
Summary: OpenShift Pod
Requires: %{name} = %{version}-%{release}
%description pod
%{summary}
%prep
%setup -qn origin-%{commit}
%build
# Don't judge me for this ... it's so bad.
mkdir _build
# Horrid hack because golang loves to just bundle everything
pushd _build
mkdir -p src/github.com/openshift
ln -s $(dirs +1 -l) src/%{import_path}
popd
# Gaming the GOPATH to include the third party bundled libs at build
# time. This is bad and I feel bad.
mkdir _thirdpartyhacks
pushd _thirdpartyhacks
ln -s \
$(dirs +1 -l)/Godeps/_workspace/src/ \
src
popd
export GOPATH=$(pwd)/_build:$(pwd)/_thirdpartyhacks:%{buildroot}%{gopath}:%{gopath}
# Build all linux components we care about
for cmd in openshift dockerregistry
do
go install -ldflags "%{ldflags}" %{import_path}/cmd/${cmd}
done
# Build only 'openshift' for other platforms
GOOS=windows GOARCH=386 go install -ldflags "%{ldflags}" %{import_path}/cmd/openshift
GOOS=darwin GOARCH=amd64 go install -ldflags "%{ldflags}" %{import_path}/cmd/openshift
#Build our pod
pushd images/pod/
go build -ldflags "%{ldflags}" pod.go
popd
%install
install -d %{buildroot}%{_bindir}
# Install linux components
for bin in openshift dockerregistry
do
echo "+++ INSTALLING ${bin}"
install -p -m 755 _build/bin/${bin} %{buildroot}%{_bindir}/${bin}
done
# Install 'openshift' as client executable for windows and mac
for pkgname in openshift
do
install -d %{buildroot}%{_datadir}/${pkgname}/{linux,macosx,windows}
install -p -m 755 _build/bin/openshift %{buildroot}%{_datadir}/${pkgname}/linux/oc
install -p -m 755 _build/bin/darwin_amd64/openshift %{buildroot}%{_datadir}/${pkgname}/macosx/oc
install -p -m 755 _build/bin/windows_386/openshift.exe %{buildroot}%{_datadir}/${pkgname}/windows/oc.exe
done
#Install openshift pod
install -p -m 755 images/pod/pod %{buildroot}%{_bindir}/
install -d -m 0755 %{buildroot}%{_unitdir}
mkdir -p %{buildroot}%{_sysconfdir}/sysconfig
for cmd in oc oadm; do
ln -s %{_bindir}/%{name} %{buildroot}%{_bindir}/$cmd
done
ln -s %{_bindir}/%{name} %{buildroot}%{_bindir}/kubectl
install -d -m 0755 %{buildroot}%{_sysconfdir}/origin/{master,node}
for pkgname in openshift
do
install -m 0644 rel-eng/${pkgname}-master.service %{buildroot}%{_unitdir}/${pkgname}-master.service
install -m 0644 rel-eng/${pkgname}-node.service %{buildroot}%{_unitdir}/${pkgname}-node.service
install -m 0644 rel-eng/${pkgname}-master.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/${pkgname}-master
install -m 0644 rel-eng/${pkgname}-node.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/${pkgname}-node
install -d -m 0755 %{buildroot}%{_prefix}/lib/tuned/${pkgname}-node-{guest,host}
install -m 0644 tuned/%{name}-node-guest/tuned.conf %{buildroot}%{_prefix}/lib/tuned/${pkgname}-node-guest/tuned.conf
install -m 0644 tuned/%{name}-node-host/tuned.conf %{buildroot}%{_prefix}/lib/tuned/${pkgname}-node-host/tuned.conf
install -d -m 0755 %{buildroot}%{_mandir}/man7
install -m 0644 tuned/man/tuned-profiles-%{name}-node.7 %{buildroot}%{_mandir}/man7/tuned-profiles-${pkgname}-node.7
done
mkdir -p %{buildroot}%{_sharedstatedir}/%{name}
mkdir -p %{buildroot}%{_sharedstatedir}/origin
# Install bash completions
install -d -m 755 %{buildroot}%{_sysconfdir}/bash_completion.d/
install -p -m 644 rel-eng/completions/bash/* %{buildroot}%{_sysconfdir}/bash_completion.d/
%files
%defattr(-,root,root,-)
%doc README.md LICENSE
%{_bindir}/openshift
%{_bindir}/oc
%{_bindir}/oadm
%{_bindir}/kubectl
%{_sharedstatedir}/%{name}
%{_sysconfdir}/bash_completion.d/*
%dir %config(noreplace) %{_sysconfdir}/origin
%pre
# If /etc/openshift exists symlink it to /etc/origin
if [ -d "%{_sysconfdir}/openshift" ]; then
ln -s %{_sysconfdir}/openshift %{_sysconfdir}/origin
fi
%files master
%defattr(-,root,root,-)
%{_unitdir}/%{name}-master.service
%config(noreplace) %{_sysconfdir}/sysconfig/%{name}-master
%config(noreplace) /etc/origin/master
%post master
%systemd_post %{basename:openshift-master.service}
%preun master
%systemd_preun %{basename:openshift-master.service}
%postun master
%systemd_postun
%files node
%defattr(-,root,root,-)
%{_unitdir}/%{name}-node.service
%config(noreplace) %{_sysconfdir}/sysconfig/%{name}-node
%config(noreplace) /etc/origin/node
%post node
%systemd_post %{basename:openshift-node.service}
%preun node
%systemd_preun %{basename:openshift-node.service}
%postun node
%systemd_postun
%files -n tuned-profiles-openshift-node
%defattr(-,root,root,-)
%{_prefix}/lib/tuned/openshift-node-host
%{_prefix}/lib/tuned/openshift-node-guest
%{_mandir}/man7/tuned-profiles-openshift-node.7*
%post -n tuned-profiles-openshift-node
recommended=`/usr/sbin/tuned-adm recommend`
if [[ "${recommended}" =~ guest ]] ; then
/usr/sbin/tuned-adm profile openshift-node-guest > /dev/null 2>&1
else
/usr/sbin/tuned-adm profile openshift-node-host > /dev/null 2>&1
fi
%preun -n tuned-profiles-openshift-node
# reset the tuned profile to the recommended profile
# $1 = 0 when we're being removed > 0 during upgrades
if [ "$1" = 0 ]; then
recommended=`/usr/sbin/tuned-adm recommend`
/usr/sbin/tuned-adm profile $recommended > /dev/null 2>&1
fi
%files clients
%{_datadir}/%{name}/linux/oc
%{_datadir}/%{name}/macosx/oc
%{_datadir}/%{name}/windows/oc.exe
%files dockerregistry
%defattr(-,root,root,-)
%{_bindir}/dockerregistry
%files pod
%defattr(-,root,root,-)
%{_bindir}/pod
%changelog
* Wed Aug 19 2015 Martin Milata <mmilata@redhat.com> 0.2-9.ansible-osbs
- Modified for ansible-osbs
* Wed Aug 12 2015 Steve Milner <smilner@redhat.com> 0.2-8
- Master configs will be generated if none are found.
- Node configs will be generated if none are found and master is installed.
- All-In-One services removed.
* Wed Aug 12 2015 Steve Milner <smilner@redhat.com> 0.2-7
- Added new ovs script(s) to file lists.
* Wed Aug 5 2015 Steve Milner <smilner@redhat.com> 0.2-6
- Using _unitdir instead of _prefix for unit data
* Fri Jul 31 2015 Steve Milner <smilner@redhat.com> 0.2-5
- Configuration location now /etc/origin
- Default configs created upon installation
* Tue Jul 28 2015 Steve Milner <smilner@redhat.com> 0.2-4
- Added AEP packages
* Mon Jan 26 2015 Scott Dodson <sdodson@redhat.com> 0.2-3
- Update to 21fb40637c4e3507cca1fcab6c4d56b06950a149
- Split packaging of openshift-master and openshift-node
* Mon Jan 19 2015 Scott Dodson <sdodson@redhat.com> 0.2-2
- new package built with tito
* Fri Jan 09 2015 Adam Miller <admiller@redhat.com> - 0.2-2
- Add symlink for osc command line tooling (merged in from jhonce@redhat.com)
* Wed Jan 07 2015 Adam Miller <admiller@redhat.com> - 0.2-1
- Update to latest upstream release
- Restructured some of the golang deps build setup for restructuring done
upstream
* Thu Oct 23 2014 Adam Miller <admiller@redhat.com> - 0-0.0.9.git562842e
- Add new patches from jhonce for systemd units
* Mon Oct 20 2014 Adam Miller <admiller@redhat.com> - 0-0.0.8.git562842e
- Update to latest master snapshot
* Wed Oct 15 2014 Adam Miller <admiller@redhat.com> - 0-0.0.7.git7872f0f
- Update to latest master snapshot
* Fri Oct 03 2014 Adam Miller <admiller@redhat.com> - 0-0.0.6.gite4d4ecf
- Update to latest Alpha nightly build tag 20141003
* Wed Oct 01 2014 Adam Miller <admiller@redhat.com> - 0-0.0.5.git6d9f1a9
- Switch to consistent naming, patch by jhonce
* Tue Sep 30 2014 Adam Miller <admiller@redhat.com> - 0-0.0.4.git6d9f1a9
- Add systemd and sysconfig entries from jhonce
* Tue Sep 23 2014 Adam Miller <admiller@redhat.com> - 0-0.0.3.git6d9f1a9
- Update to latest upstream.
* Mon Sep 15 2014 Adam Miller <admiller@redhat.com> - 0-0.0.2.git2647df5
- Update to latest upstream.
* Thu Aug 14 2014 Adam Miller <admiller@redhat.com> - 0-0.0.1.gitc3839b8
- First package

147
roles/osbs-master/README.md Normal file
View file

@ -0,0 +1,147 @@
osbs-master
===========
Main role for deploying OSBS - [OpenShift build
service](https://github.com/projectatomic/osbs-client/), service for building
layered Docker images.
It performs the necessary configuration of Docker and OpenShift and optionally
opens/closes OpenShift firewall port. It also generates self-signed certificate
that can be used by reverse proxy placed in front of the builder.
This role is part of
[ansible-osbs](https://github.com/projectatomic/ansible-osbs/) playbook for
deploying OpenShift build service. Please refer to that github repository for
[documentation](https://github.com/projectatomic/ansible-osbs/blob/master/README.md)
and [issue tracker](https://github.com/projectatomic/ansible-osbs/issues).
Role Variables
--------------
You may need to configure Docker to connect to registries over plain HTTP, or
HTTPS with self-signed certificate (especially when developing OSBS). You can
provide list of such registries in `osbs_docker_insecure_registries` (empty by
default).
osbs_docker_insecure_registries: []
Expose the OpenShift port to the outside world? Set this to `false` when using
authenticating proxy on the localhost. Has no effect if `osbs_manage_firewalld`
is `false`.
osbs_master_expose_port: true
Set to false if you don't use firewalld or do not want the playbook to modify
it.
osbs_manage_firewalld: true
If you are using authenticating proxy, this role can generate a self-signed certificate that the proxy can use to authenticate itself to OpenShift. The proxy needs the certificate and the key concatenated in one file (`osbs_proxy_cert_file`). OpenShift needs to know the CA of the certificate, which is configured in `osbs_proxy_ca_file` and which is the same as the certificate because it is self-signed.
osbs_proxy_cert_file: /etc/origin/proxy_selfsigned.crt
osbs_proxy_key_file: /etc/origin/proxy_selfsigned.key
osbs_proxy_certkey_file: /etc/httpd/openshift_proxy_certkey.crt
osbs_proxy_ca_file: /etc/origin/proxy_selfsigned.crt
OpenShift authorization policy - which users should be assigned the view
(read-only), osbs-builder (read-write), and cluster-admin (admin) roles. In
default configuration, everyone has read/write access. The authentication is
handled by the proxy - if you are not using it the everyone connecting from the
outside belongs to the `system:unauthenticated` group.
Default setup:
osbs_readonly_users: []
osbs_readonly_groups: []
osbs_readwrite_users: []
osbs_readwrite_groups:
- system:authenticated
- system:unauthenticated
osbs_admin_users: []
osbs_admin_groups: []
Development with authenticating proxy:
osbs_readonly_users: []
osbs_readonly_groups: []
osbs_readwrite_users: []
osbs_readwrite_groups:
- system:authenticated
osbs_admin_users: []
osbs_admin_groups: []
Example production configuration with only one user starting the builds:
osbs_readonly_users: []
osbs_readonly_groups:
- system:authenticated
osbs_readwrite_groups: []
osbs_readwrite_users:
- kojibuilder
osbs_admin_users:
- foo@EXAMPLE.COM
- bar@EXAMPLE.COM
osbs_admin_groups: []
Limit on the number of running pods.
osbs_master_max_pods: 3
Dependencies
------------
OpenShift is expected to be installed on the remote host. This can by
accomplished by the
[install-openshift](https://github.com/projectatomic/ansible-role-install-openshift)
role.
Example Playbook
----------------
Simple development deployment:
- hosts: builders
roles:
- install-openshift
- osbs-master
- atomic-reactor
Deployment behind authentication proxy that only allows the *kojibuilder* user
to start builds (and everyone to view them). Set docker to trust registry on
localhost:5000 even though it uses HTTP.
- hosts: builders
roles:
- install-openshift
- role: osbs-master
osbs_master_expose_port: false
osbs_docker_insecure_registries: [172.42.17.1:5000]
osbs_readonly_users: []
osbs_readonly_groups:
- system:authenticated
- system:unauthenticated
osbs_readwrite_groups: []
osbs_readwrite_users:
- kojibuilder
osbs_admin_users: []
osbs_admin_groups: []
- atomic-reactor
- role: osbs-proxy
osbs_proxy_type: kerberos
osbs_proxy_kerberos_keytab_file: /etc/HTTP-FQDN.EXAMPLE.COM.keytab
osbs_proxy_kerberos_realm: EXAMPLE.COM
osbs_proxy_ssl_cert_file: /etc/fqdn.example.com.crt
osbs_proxy_ssl_key_file: /etc/fqdn.example.com.key
osbs_proxy_ip_whitelist:
- subnet: 192.168.66.0/24
user: kojibuilder
License
-------
BSD
Author Information
------------------
Martin Milata &lt;mmilata@redhat.com&gt;

71
roles/osbs-master/defaults/main.yml Normal file
View file

@ -0,0 +1,71 @@
---
# docker needs to know which registries are insecure
osbs_docker_insecure_registries: []
# Expose the OpenShift port to the outside world? Set this to false when using
# authenticating proxy on the localhost. Has no effect if osbs_manage_firewalld
# is false.
osbs_master_expose_port: true
# set to false if you don't use firewalld or do not want the playbook to modify it
osbs_manage_firewalld: true
# these will be generated for proxy so it can authenticate itself
osbs_proxy_cert_file: /etc/origin/proxy_selfsigned.crt
osbs_proxy_key_file: /etc/origin/proxy_selfsigned.key
osbs_proxy_certkey_file: /etc/origin/proxy_certkey.crt
# CA cert to validate the proxy certificate against
osbs_proxy_ca_file: /etc/origin/proxy_selfsigned.crt
# openshift authorization - which users should be assigned the view (readonly),
# osbs-builder (readwrite), and cluster-admin (admin) roles
# in default configuration, everyone has read/write access
osbs_readonly_users: []
osbs_readonly_groups: []
osbs_readwrite_users: []
osbs_readwrite_groups:
- system:authenticated
- system:unauthenticated
osbs_admin_users: []
osbs_admin_groups: []
## development w/ auth proxy:
#osbs_readonly_users: []
#osbs_readonly_groups: []
#osbs_readwrite_users: []
#osbs_readwrite_groups:
# - system:authenticated
#osbs_admin_users: []
#osbs_admin_groups: []
## example production configuration:
#osbs_readonly_users: []
#osbs_readonly_groups:
# - system:authenticated
#osbs_readwrite_groups: []
#osbs_readwrite_users:
# - kojibuilder
# - "{{ ansible_hostname }}"
# - system:serviceaccount:default:default
#osbs_admin_users:
# - foo@EXAMPLE.COM
# - bar@EXAMPLE.COM
#osbs_admin_groups: []
# limit on the number of running pods
osbs_master_max_pods: 3
# update packagages to their latest version?
osbs_update_packages: false
# directory for exporting v1 images to koji
# if not defined, nothing will happen
#osbs_export_dir: /mnt/image-export
# mount the image export directory
#osbs_export_mount_src: /dev/vda1
#osbs_export_mount_fs: ext4
# configure httpd to publish the directory under following path of default vhost
#osbs_export_http_path: /image-export

36
roles/osbs-master/files/openshift-role-osbs-builder.yml Normal file
View file

@ -0,0 +1,36 @@
apiVersion: v1
kind: ClusterRole
metadata:
name: osbs-builder
rules:
- attributeRestrictions: null
resources:
- builds/custom
- pods/exec
- pods/portforward
- pods/proxy
- resourcegroup:exposedkube
- resourcegroup:exposedopenshift
- secrets
verbs:
- create
- delete
- get
- list
- update
- watch
- attributeRestrictions: null
resources:
- resourcegroup:allkube
- resourcegroup:allkube-status
- resourcegroup:allopenshift-status
verbs:
- get
- list
- watch
- attributeRestrictions: null
resources:
- imagestreams/layers
verbs:
- get
- update

9
roles/osbs-master/files/sysconfig-origin-master Normal file
View file

@ -0,0 +1,9 @@
OPTIONS="--loglevel=3"
CONFIG_FILE=/etc/origin/master/master-config.yaml
# Proxy configuration
# Origin uses standard HTTP_PROXY environment variables. Be sure to set
# NO_PROXY for your master
#NO_PROXY=master.example.com
#HTTP_PROXY=http://USER:PASSWORD@IPADDR:PORT
#HTTPS_PROXY=https://USER:PASSWORD@IPADDR:PORT

22
roles/osbs-master/files/sysconfig-origin-node Normal file
View file

@ -0,0 +1,22 @@
OPTIONS="--loglevel=3"
# /etc/origin/node/ should contain the entire contents of
# /var/lib/origin.local.certificates/node-${node-fqdn} generated by
# running 'atomic-enterprise admin create-node-config' on your master
#
# If if your node is running on a separate host you can rsync the contents
# rsync -a root@atomic-enterprise-master:/var/lib/origin/origin.local.certificates/node-`hostname`/ /etc/origin/node
CONFIG_FILE=/etc/origin/node/node-config.yaml
# The $DOCKER_NETWORK_OPTIONS variable is used by sdn plugins to set
# $DOCKER_NETWORK_OPTIONS variable in the /etc/sysconfig/docker-network
# Most plugins include their own defaults within the scripts
# TODO: More elegant solution like this
# https://github.com/coreos/flannel/blob/master/dist/mk-docker-opts.sh
# DOCKER_NETWORK_OPTIONS='-b=lbr0 --mtu=1450'
# Proxy configuration
# Origin uses standard HTTP_PROXY environment variables. Be sure to set
# NO_PROXY for your master
#NO_PROXY=master.example.com
#HTTP_PROXY=http://USER:PASSWORD@IPADDR:PORT
#HTTPS_PROXY=https://USER:PASSWORD@IPADDR:PORT

12
roles/osbs-master/handlers/main.yml Normal file
View file

@ -0,0 +1,12 @@
---
- name: restart docker
service: name=docker state=restarted
- name: restart openshift-master
service: name=origin-master state=restarted
- name: restart openshift-node
service: name=origin-node state=restarted
- name: restart httpd
service: name=httpd state=restarted

1
roles/osbs-master/meta/.galaxy_install_info Normal file
View file

@ -0,0 +1 @@
{install_date: 'Thu Jan 7 17:30:46 2016', version: master}

21
roles/osbs-master/meta/main.yml Normal file
View file

@ -0,0 +1,21 @@
---
galaxy_info:
author: Martin Milata
description: OpenShift build service - builder of layered Docker images
company: Red Hat
issue_tracker_url: https://github.com/projectatomic/ansible-osbs/issues
license: BSD
min_ansible_version: 1.9
platforms:
- name: EL
versions:
- 7
- name: Fedora
versions:
- 21
- 22
categories:
- cloud
- development
- packaging
dependencies: []

45
roles/osbs-master/tasks/export.yml Normal file
View file

@ -0,0 +1,45 @@
---
- name: mount the export directory
mount:
name: "{{ osbs_export_dir }}"
src: "{{ osbs_export_mount_src }}"
fstype: "{{ osbs_export_mount_fs }}"
state: mounted
when: osbs_export_mount_src is defined
- name: set owner of the image export directory
file:
path: "{{ osbs_export_dir }}"
state: directory
owner: apache
group: apache
when: osbs_export_http_path is defined
- name: configure selinux labels for image export directory
command: semanage fcontext --add --type httpd_sys_content_t "{{ osbs_export_dir }}(/.*)?"
when: osbs_export_http_path is defined
- name: restore selinux labels for image export directory
file:
path: "{{ osbs_export_dir }}"
state: directory
setype: httpd_sys_content_t
recurse: yes
when: osbs_export_http_path is defined
- name: export the mount directory via http
template: src=httpd-osbs_image_export.conf.j2 dest={{ osbs_export_http_conf }}
notify:
- restart httpd
when: osbs_export_http_path is defined
- name: open http ports
firewalld:
service: "{{ item }}"
state: enabled
permanent: true
immediate: true
with_items:
- http
- https
when: osbs_export_http_path is defined and osbs_manage_firewalld

115
roles/osbs-master/tasks/main.yml Normal file
View file

@ -0,0 +1,115 @@
---
### docker service ###
- name: install packages required by osbs
action: "{{ ansible_pkg_mgr }} name=docker state={{ osbs_update_packages | ternary('latest', 'present') }}"
- name: configure docker
template: src=sysconfig-docker.j2 dest=/etc/sysconfig/docker backup=yes
notify: restart docker
- name: ensure docker is running
service: name=docker state=started enabled=yes
### openshift service ###
- name: open/close openshift port in the firewall
firewalld:
port: "{{ osbs_openshift_port }}/tcp"
state: "{{ osbs_master_expose_port | ternary('enabled', 'disabled') }}"
permanent: true
immediate: true
when: osbs_manage_firewalld
- name: apply modifications to /etc/sysconfig/origin
copy: src=sysconfig-origin-{{ item }} dest=/etc/sysconfig/origin-{{ item }}
with_items:
- master
- node
- name: configure openshift master
template: src=master-config.yaml.j2 dest=/etc/origin/master/master-config.yaml
notify: restart openshift-master
- name: configure openshift node
template: src=node-config.yaml.j2 dest=/etc/origin/node/node-config.yaml
notify: restart openshift-node
- name: generate cert for authenticating proxy - self-signed certificate
command: >
openssl req -new -nodes -x509
-subj "/C=CZ/ST=SelfSigned/L=SelfSigned/O=IT/CN={{ ansible_fqdn }}"
-days 3650
-keyout {{ osbs_proxy_key_file }}
-out {{ osbs_proxy_cert_file }}
-extensions v3_ca
args:
creates: "{{ osbs_proxy_cert_file }}"
register: auth_proxy_cert
- name: generate cert for authenticating proxy - convert privkey to rsa
command: openssl rsa -in {{ osbs_proxy_key_file }} -out {{ osbs_proxy_key_file }}
when: auth_proxy_cert.changed
- name: generate cert for authenticating proxy - concatenate cert and key
shell: cat {{ osbs_proxy_cert_file }} {{ osbs_proxy_key_file }} > {{ osbs_proxy_certkey_file }}
# We need to have openshift restarted in order to configure authentication.
- meta: flush_handlers
- name: ensure openshift is running
service: name=origin-{{ item }} state=started enabled=yes
with_items:
- master
- node
- name: wait for openshift to start accepting connections
wait_for: port={{ osbs_openshift_port }} timeout=30
- name: copy osbs-builder role definition
copy: src=openshift-role-osbs-builder.yml dest={{ osbs_openshift_home }}/role-osbs-builder.yml
- name: import the osbs-builder role
command: oc replace --force=true --filename={{ osbs_openshift_home }}/role-osbs-builder.yml
environment: osbs_environment
- name: copy role bindings
template: src=openshift-rolebinding.yml.j2 dest={{ osbs_openshift_home }}/rolebinding-{{ item.name }}.yml
with_items:
- name: osbs-readonly
role: view
users: "{{ osbs_readonly_users }}"
groups: "{{ osbs_readonly_groups }}"
- name: osbs-readwrite
role: osbs-builder
users: "{{ osbs_readwrite_users }}"
groups: "{{ osbs_readwrite_groups }}"
- name: osbs-admin
role: cluster-admin
users: "{{ osbs_admin_users }}"
groups: "{{ osbs_admin_groups }}"
- name: import the role bindings
command: oc replace --force=true --filename={{ osbs_openshift_home }}/rolebinding-{{ item }}.yml
environment: osbs_environment
with_items:
- osbs-readonly
- osbs-readwrite
- osbs-admin
- name: copy resource quotas
template: src=openshift-resourcequota.yml.j2 dest={{ osbs_openshift_home }}/resourcequota.yml
- name: import resource quotas
command: oc replace --force=true --filename={{ osbs_openshift_home }}/resourcequota.yml
environment: osbs_environment
# Useful when using "oc" to inspect openshift state.
- name: add KUBECONFIG to .bashrc
lineinfile:
dest: "{{ ansible_env.HOME }}/.bashrc"
regexp: "export KUBECONFIG="
line: "export KUBECONFIG={{ osbs_environment.KUBECONFIG }}"
- include: export.yml
when: osbs_export_dir is defined

11
roles/osbs-master/templates/httpd-osbs_image_export.conf.j2 Normal file
View file

@ -0,0 +1,11 @@
# atomic-reactor copies tarballs to this directory (via NFS share) and koji
# downloads it from this place. Garbage collection needs to be done on this
# directory.
Alias "{{ osbs_export_http_path }}" "{{ osbs_export_dir }}"
<Directory "{{ osbs_export_dir }}">
AllowOverride None
Require all granted
Options +Indexes
</Directory>

154
roles/osbs-master/templates/master-config.yaml.j2 Normal file
View file

@ -0,0 +1,154 @@
apiLevels:
- v1
apiVersion: v1
assetConfig:
extensionDevelopment: false
extensionScripts: null
extensionStylesheets: null
extensions: null
loggingPublicURL: ""
logoutURL: ""
masterPublicURL: https://{{ ansible_default_ipv4.address }}:8443
metricsPublicURL: ""
publicURL: https://{{ ansible_default_ipv4.address }}:8443/console/
servingInfo:
bindAddress: 0.0.0.0:8443
bindNetwork: tcp4
certFile: master.server.crt
clientCA: ""
keyFile: master.server.key
maxRequestsInFlight: 0
namedCertificates: null
requestTimeoutSeconds: 0
controllerLeaseTTL: 0
controllers: '*'
corsAllowedOrigins:
- 127.0.0.1
- {{ ansible_default_ipv4.address }}:8443
- localhost
disabledFeatures: null
dnsConfig:
bindAddress: 0.0.0.0:53
bindNetwork: tcp4
etcdClientInfo:
ca: ca.crt
certFile: master.etcd-client.crt
keyFile: master.etcd-client.key
urls:
- https://{{ ansible_default_ipv4.address }}:4001
etcdConfig:
address: {{ ansible_default_ipv4.address }}:4001
peerAddress: {{ ansible_default_ipv4.address }}:7001
peerServingInfo:
bindAddress: 0.0.0.0:7001
bindNetwork: tcp4
certFile: etcd.server.crt
clientCA: ca.crt
keyFile: etcd.server.key
namedCertificates: null
servingInfo:
bindAddress: 0.0.0.0:4001
bindNetwork: tcp4
certFile: etcd.server.crt
clientCA: ca.crt
keyFile: etcd.server.key
namedCertificates: null
storageDirectory: /var/lib/origin/openshift.local.etcd
etcdStorageConfig:
kubernetesStoragePrefix: kubernetes.io
kubernetesStorageVersion: v1
openShiftStoragePrefix: openshift.io
openShiftStorageVersion: v1
imageConfig:
format: openshift/origin-${component}:${version}
latest: false
kind: MasterConfig
kubeletClientInfo:
ca: ca.crt
certFile: master.kubelet-client.crt
keyFile: master.kubelet-client.key
port: 10250
kubernetesMasterConfig:
apiLevels: null
apiServerArguments: null
controllerArguments: null
disabledAPIGroupVersions: {}
masterCount: 1
masterIP: {{ ansible_default_ipv4.address }}
podEvictionTimeout: 5m
proxyClientInfo:
certFile: master.proxy-client.crt
keyFile: master.proxy-client.key
schedulerConfigFile: ""
servicesNodePortRange: 30000-32767
servicesSubnet: 172.30.0.0/16
staticNodeNames:
- {{ ansible_fqdn }}
masterClients:
externalKubernetesKubeConfig: ""
openshiftLoopbackKubeConfig: openshift-master.kubeconfig
masterPublicURL: https://{{ ansible_default_ipv4.address }}:8443
networkConfig:
clusterNetworkCIDR: 10.1.0.0/16
hostSubnetLength: 8
networkPluginName: ""
serviceNetworkCIDR: 172.30.0.0/16
oauthConfig:
assetPublicURL: https://{{ ansible_default_ipv4.address }}:8443/console/
grantConfig:
method: auto
identityProviders:
- name: request_header
challenge: false
login: false
provider:
apiVersion: v1
kind: RequestHeaderIdentityProvider
clientCA: {{ osbs_proxy_ca_file | default('/etc/origin/master/ca.crt') }}
headers:
- X-Remote-User
masterCA: ca.crt
masterPublicURL: https://{{ ansible_default_ipv4.address }}:8443
masterURL: https://{{ ansible_default_ipv4.address }}:8443
sessionConfig:
sessionMaxAgeSeconds: 300
sessionName: ssn
sessionSecretsFile: ""
templates: null
tokenConfig:
accessTokenMaxAgeSeconds: 86400
authorizeTokenMaxAgeSeconds: 300
pauseControllers: false
policyConfig:
bootstrapPolicyFile: policy.json
openshiftInfrastructureNamespace: openshift-infra
openshiftSharedResourcesNamespace: openshift
projectConfig:
defaultNodeSelector: ""
projectRequestMessage: ""
projectRequestTemplate: ""
securityAllocator:
mcsAllocatorRange: s0:/2
mcsLabelsPerProject: 5
uidAllocatorRange: 1000000000-1999999999/10000
routingConfig:
subdomain: router.default.svc.cluster.local
serviceAccountConfig:
limitSecretReferences: false
managedNames:
- default
- builder
- deployer
masterCA: ca.crt
privateKeyFile: serviceaccounts.private.key
publicKeyFiles:
- serviceaccounts.public.key
servingInfo:
bindAddress: 0.0.0.0:8443
bindNetwork: tcp4
certFile: master.server.crt
clientCA: ca.crt
keyFile: master.server.key
maxRequestsInFlight: 500
namedCertificates: null
requestTimeoutSeconds: 3600

31
roles/osbs-master/templates/node-config.yaml.j2 Normal file
View file

@ -0,0 +1,31 @@
allowDisabledDocker: false
apiVersion: v1
authConfig:
authenticationCacheSize: 1000
authenticationCacheTTL: 5m
authorizationCacheSize: 1000
authorizationCacheTTL: 5m
dnsDomain: cluster.local
dnsIP: ""
dockerConfig:
execHandlerName: native
imageConfig:
format: openshift/origin-${component}:${version}
latest: false
iptablesSyncPeriod: 5s
kind: NodeConfig
masterKubeConfig: node.kubeconfig
networkConfig:
mtu: 1450
networkPluginName: ""
nodeIP: ""
nodeName: localhost
podManifestConfig: null
servingInfo:
bindAddress: 0.0.0.0:10250
bindNetwork: tcp4
certFile: server.crt
clientCA: node-client-ca.crt
keyFile: server.key
namedCertificates: null
volumeDirectory: /var/lib/origin/openshift.local.volumes

7
roles/osbs-master/templates/openshift-resourcequota.yml.j2 Normal file
View file

@ -0,0 +1,7 @@
apiVersion: v1
kind: ResourceQuota
metadata:
name: concurrentbuilds
spec:
hard:
pods: {{ osbs_master_max_pods }}

24
roles/osbs-master/templates/openshift-rolebinding.yml.j2 Normal file
View file

@ -0,0 +1,24 @@
apiVersion: v1
kind: RoleBinding
metadata:
name: {{ item.name }}
roleRef:
name: {{ item.role }}
{% if item.users == [] %}
userNames: []
{% else %}
userNames:
{% for u in item.users %}
- {{u}}
{% endfor %}
{% endif %}
{% if item.groups == [] %}
groupNames: []
{% else %}
groupNames:
{% for g in item.groups %}
- {{g}}
{% endfor %}
{% endif %}

36
roles/osbs-master/templates/sysconfig-docker.j2 Normal file
View file

@ -0,0 +1,36 @@
# Modify these options if you want to change the way the docker daemon runs
OPTIONS='--selinux-enabled'
DOCKER_CERT_PATH=/etc/docker
# If you want to add your own registry to be used for docker search and docker pull use the
# ADD_REGISTRY option to list a set of comma separated registries.
# Note the last registry added will be the first regisry searched.
ADD_REGISTRY=''
# If you want to block registries from being used, use the
# BLOCK_REGISTRY option to list a set of comma separated registries, and uncommenting
# it. For example adding docker.io will stop users from downloading images from docker.io
# BLOCK_REGISTRY='--block-registry public'
# If you have a registry secured with https but do not have proper certs destributed, you can
# tell docker to not look for full authorization by adding the registry to the
# INSECURE_REGISTRY line and uncommentin it.
INSECURE_REGISTRY='
{%- for r in osbs_docker_insecure_registries %} --insecure-registry {{ r }}
{%- endfor %}'
# On an SELinux system, if you remove the --selinux-enabled option, you
# also need to turn on the docker_transition_unconfined boolean.
# setsebool -P docker_transition_unconfined 1
# Location used for temporary files, such as those created by
# docker load and build operations. Default is /var/lib/docker/tmp
# Can be overriden by setting the following environment variable.
# DOCKER_TMPDIR=/var/tmp
# Controls the /etc/cron.daily/docker-logrotate cron job status.
# To disable, uncomment the line below.
# LOGROTATE=false
GOTRACEBACK='crash'

9
roles/osbs-master/vars/main.yml Normal file
View file

@ -0,0 +1,9 @@
---
osbs_openshift_home: /var/lib/origin
osbs_openshift_port: 8443
osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
osbs_environment:
KUBECONFIG: "{{ osbs_kubeconfig_path }}"
osbs_export_http_conf: /etc/httpd/conf.d/osbs_image_export.conf