From 03b4b85c3f88d2de19779da009ee884afafea993 Mon Sep 17 00:00:00 2001 From: Adam Miller Date: Thu, 14 Jan 2016 10:12:13 -0600 Subject: [PATCH] add osbs w/ v2 registry support --- .../hosts/osbs-dev.fedorainfracloud.org.yml | 82 ++++- roles/docker-distribution/README.md | 38 ++ roles/docker-distribution/defaults/main.yml | 31 ++ roles/docker-distribution/handlers/main.yml | 2 + roles/docker-distribution/meta/main.yml | 147 ++++++++ roles/docker-distribution/tasks/main.yml | 32 ++ .../templates/config.yml.j2 | 16 + roles/docker-distribution/vars/main.yml | 2 + roles/osbs-atomic-reactor/README.md | 76 ++++ roles/osbs-atomic-reactor/defaults/main.yml | 31 ++ .../files/maxamillion-atomic-reactor.repo | 8 + roles/osbs-atomic-reactor/handlers/main.yml | 3 + roles/osbs-atomic-reactor/meta/main.yml | 21 ++ roles/osbs-atomic-reactor/tasks/main.yml | 9 + .../osbs-atomic-reactor/tasks/source_git.yml | 26 ++ .../osbs-atomic-reactor/tasks/source_pull.yml | 8 + .../osbs-atomic-reactor/tasks/source_rpm.yml | 11 + roles/osbs-client/defaults/main.yml | 32 ++ roles/osbs-client/tasks/main.yml | 9 + roles/osbs-client/templates/osbs.conf.j2 | 22 ++ roles/osbs-common/defaults/main.yml | 6 + roles/osbs-common/tasks/main.yml | 37 ++ roles/osbs-common/vars/main.yml | 2 + roles/osbs-install-openshift/README.md | 58 +++ .../osbs-install-openshift/defaults/main.yml | 26 ++ .../meta/.galaxy_install_info | 1 + roles/osbs-install-openshift/meta/main.yml | 21 ++ roles/osbs-install-openshift/tasks/main.yml | 6 + .../tasks/method_copr.yml | 11 + .../tasks/method_source.yml | 58 +++ .../maxamillion-fedora-openshift.repo.j2 | 8 + .../templates/openshift.spec.j2 | 337 ++++++++++++++++++ roles/osbs-master/README.md | 147 ++++++++ roles/osbs-master/defaults/main.yml | 71 ++++ .../files/openshift-role-osbs-builder.yml | 36 ++ .../osbs-master/files/sysconfig-origin-master | 9 + roles/osbs-master/files/sysconfig-origin-node | 22 ++ roles/osbs-master/handlers/main.yml | 12 + roles/osbs-master/meta/.galaxy_install_info | 1 + roles/osbs-master/meta/main.yml | 21 ++ roles/osbs-master/tasks/export.yml | 45 +++ roles/osbs-master/tasks/main.yml | 115 ++++++ .../templates/httpd-osbs_image_export.conf.j2 | 11 + .../templates/master-config.yaml.j2 | 154 ++++++++ .../osbs-master/templates/node-config.yaml.j2 | 31 ++ .../templates/openshift-resourcequota.yml.j2 | 7 + .../templates/openshift-rolebinding.yml.j2 | 24 ++ .../osbs-master/templates/sysconfig-docker.j2 | 36 ++ roles/osbs-master/vars/main.yml | 9 + 49 files changed, 1917 insertions(+), 11 deletions(-) create mode 100644 roles/docker-distribution/README.md create mode 100644 roles/docker-distribution/defaults/main.yml create mode 100644 roles/docker-distribution/handlers/main.yml create mode 100644 roles/docker-distribution/meta/main.yml create mode 100644 roles/docker-distribution/tasks/main.yml create mode 100644 roles/docker-distribution/templates/config.yml.j2 create mode 100644 roles/docker-distribution/vars/main.yml create mode 100644 roles/osbs-atomic-reactor/README.md create mode 100644 roles/osbs-atomic-reactor/defaults/main.yml create mode 100644 roles/osbs-atomic-reactor/files/maxamillion-atomic-reactor.repo create mode 100644 roles/osbs-atomic-reactor/handlers/main.yml create mode 100644 roles/osbs-atomic-reactor/meta/main.yml create mode 100644 roles/osbs-atomic-reactor/tasks/main.yml create mode 100644 roles/osbs-atomic-reactor/tasks/source_git.yml create mode 100644 roles/osbs-atomic-reactor/tasks/source_pull.yml create mode 100644 roles/osbs-atomic-reactor/tasks/source_rpm.yml create mode 100644 roles/osbs-client/defaults/main.yml create mode 100644 roles/osbs-client/tasks/main.yml create mode 100644 roles/osbs-client/templates/osbs.conf.j2 create mode 100644 roles/osbs-common/defaults/main.yml create mode 100644 roles/osbs-common/tasks/main.yml create mode 100644 roles/osbs-common/vars/main.yml create mode 100644 roles/osbs-install-openshift/README.md create mode 100644 roles/osbs-install-openshift/defaults/main.yml create mode 100644 roles/osbs-install-openshift/meta/.galaxy_install_info create mode 100644 roles/osbs-install-openshift/meta/main.yml create mode 100644 roles/osbs-install-openshift/tasks/main.yml create mode 100644 roles/osbs-install-openshift/tasks/method_copr.yml create mode 100644 roles/osbs-install-openshift/tasks/method_source.yml create mode 100644 roles/osbs-install-openshift/templates/maxamillion-fedora-openshift.repo.j2 create mode 100644 roles/osbs-install-openshift/templates/openshift.spec.j2 create mode 100644 roles/osbs-master/README.md create mode 100644 roles/osbs-master/defaults/main.yml create mode 100644 roles/osbs-master/files/openshift-role-osbs-builder.yml create mode 100644 roles/osbs-master/files/sysconfig-origin-master create mode 100644 roles/osbs-master/files/sysconfig-origin-node create mode 100644 roles/osbs-master/handlers/main.yml create mode 100644 roles/osbs-master/meta/.galaxy_install_info create mode 100644 roles/osbs-master/meta/main.yml create mode 100644 roles/osbs-master/tasks/export.yml create mode 100644 roles/osbs-master/tasks/main.yml create mode 100644 roles/osbs-master/templates/httpd-osbs_image_export.conf.j2 create mode 100644 roles/osbs-master/templates/master-config.yaml.j2 create mode 100644 roles/osbs-master/templates/node-config.yaml.j2 create mode 100644 roles/osbs-master/templates/openshift-resourcequota.yml.j2 create mode 100644 roles/osbs-master/templates/openshift-rolebinding.yml.j2 create mode 100644 roles/osbs-master/templates/sysconfig-docker.j2 create mode 100644 roles/osbs-master/vars/main.yml diff --git a/playbooks/hosts/osbs-dev.fedorainfracloud.org.yml b/playbooks/hosts/osbs-dev.fedorainfracloud.org.yml index 5c710ebb81..1bf0a03cc3 100644 --- a/playbooks/hosts/osbs-dev.fedorainfracloud.org.yml +++ b/playbooks/hosts/osbs-dev.fedorainfracloud.org.yml @@ -3,10 +3,10 @@ gather_facts: False vars_files: - - /srv/web/infra/ansible/vars/global.yml - - /srv/private/ansible/vars.yml - - /srv/web/infra/ansible/vars/fedora-cloud.yml - - /srv/private/ansible/files/openstack/passwords.yml + - /srv/web/infra/ansible/vars/global.yml + - /srv/private/ansible/vars.yml + - /srv/web/infra/ansible/vars/fedora-cloud.yml + - /srv/private/ansible/files/openstack/passwords.yml tasks: - include: "{{ tasks }}/persistent_cloud.yml" @@ -14,12 +14,72 @@ - name: setup all the things hosts: osbs-dev.fedorainfracloud.org vars_files: - - /srv/web/infra/ansible/vars/global.yml - - /srv/private/ansible/vars.yml - - /srv/private/ansible/files/openstack/passwords.yml - - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + - /srv/web/infra/ansible/vars/global.yml + - /srv/private/ansible/vars.yml + - /srv/private/ansible/files/openstack/passwords.yml + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml pre_tasks: - - include: "{{ tasks }}/cloud_setup_basic.yml" - - name: set hostname (required by some services, at least postfix need it) - shell: "hostname {{inventory_hostname}}" + - include: "{{ tasks }}/cloud_setup_basic.yml" + - name: set hostname (required by some services, at least postfix need it) + shell: "hostname {{inventory_hostname}}" + +- name: setup osbs + hosts: osbs-dev.fedorainfracloud.org + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - /srv/private/ansible/vars.yml + - /srv/private/ansible/files/openstack/passwords.yml + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - osbs-atomic-reactor + - osbs-common + - osbs-install-openshift + - osbs-master + - { + role: osbs-client, + default.openshift_url: 'https://osbs-dev.fedorainfracloud.org:8443/', + default.registry_url: 'https://osbs-dev.fedorainfracloud.org:5000/v2', + default.source_registry_uri: 'https://osbs-dev.fedorainfracloud.org:5000/v2', + build_host: 'osbs-dev.fedorainfracloud.org' + } + - { + role: docker-distribution, + cert.private_path: "files/osbs/osbs-dev.certs", + cert.dir: "/etc/pki/docker/osbs-dev.fedorainfracloud.org:5000/", + cert.src_name: "osbs-dev.fedorainfracloud.org.crt", + cert.src_key_name: "osbs-dev.fedorainfracloud.org.key", + tls.enabled: True, + tls.certificate: "/etc/pki/docker/osbs-dev.fedorainfracloud.org:5000/ca.crt", + tls.key: "/etc/pki/docker/osbs-dev.fedorainfracloud.org:5000/ca.key", + } + +- name: post-install osbs tasks + hosts: osbs-dev.fedorainfracloud.org + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - /srv/private/ansible/vars.yml + - /srv/private/ansible/files/openstack/passwords.yml + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + tasks: + - name: install docker + action: "{{ ansible_pkg_mgr }} name=docker-distribution state=installed" + + - name: ensure docker daemon cert dir exists + file: + path: "/etc/docker/certs.d/" + state: directory + + - name: create symlink for docker daemon cert + file: + src: "/etc/docker/certs.d/osbs.localdomain:5000" + dest: "/etc/pki/docker/osbs.localdomain:5000/" + state: "link" + + - name: start and enable docker + service: name=docker state=started enabled=yes + + - name: create fedora image stream for OpenShift + shell: 'cat <<"EOF" | oc create -f - { "apiVersion": "v1", "kind": "ImageStream", "metadata": { "name": "fedora" }, "spec": { "dockerImageRepository": "osbs-dev.fedorainfracloud.org:5000/fedora" } } EOF' diff --git a/roles/docker-distribution/README.md b/roles/docker-distribution/README.md new file mode 100644 index 0000000000..225dd44b9f --- /dev/null +++ b/roles/docker-distribution/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/docker-distribution/defaults/main.yml b/roles/docker-distribution/defaults/main.yml new file mode 100644 index 0000000000..4696845d57 --- /dev/null +++ b/roles/docker-distribution/defaults/main.yml @@ -0,0 +1,31 @@ +--- +# defaults file for docker-distribution +# + +# where to put the config.yml on the remote machine +conf_path: /etc/docker-distribution/registry/config.yml + +# Cert information to place certificate files on system +cert: + private_path: PRIVATE_PATH_TO_CERT_DIR + dir: "/etc/pki/docker/{{ ansible_fqdn }}:5000" + src_name: ca.crt + src_key_name: ca.key + dest_name: ca.crt + dest_key_name: ca.key + +# Config directives +tls: + enabled: False + certificate: PATH_TO_CERT + key: PATH_TO_KEY +log: + fields: + service: registry +storage: + cache: + layerinfo: inmemory + filesystem: + rootdirectory: /var/lib/registry/ +http: + addr: :5000 diff --git a/roles/docker-distribution/handlers/main.yml b/roles/docker-distribution/handlers/main.yml new file mode 100644 index 0000000000..99c49e5cb5 --- /dev/null +++ b/roles/docker-distribution/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for docker-distribution diff --git a/roles/docker-distribution/meta/main.yml b/roles/docker-distribution/meta/main.yml new file mode 100644 index 0000000000..888088e343 --- /dev/null +++ b/roles/docker-distribution/meta/main.yml @@ -0,0 +1,147 @@ +--- +galaxy_info: + author: your name + description: + company: your company (optional) + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + # Some suggested licenses: + # - BSD (default) + # - MIT + # - GPLv2 + # - GPLv3 + # - Apache + # - CC-BY + license: license (GPLv2, CC-BY, etc) + min_ansible_version: 1.2 + # + # Below are all platforms currently available. Just uncomment + # the ones that apply to your role. If you don't see your + # platform on this list, let us know and we'll get it added! + # + #platforms: + #- name: EL + # versions: + # - all + # - 5 + # - 6 + # - 7 + #- name: GenericUNIX + # versions: + # - all + # - any + #- name: Solaris + # versions: + # - all + # - 10 + # - 11.0 + # - 11.1 + # - 11.2 + # - 11.3 + #- name: Fedora + # versions: + # - all + # - 16 + # - 17 + # - 18 + # - 19 + # - 20 + # - 21 + # - 22 + #- name: Windows + # versions: + # - all + # - 2012R2 + #- name: SmartOS + # versions: + # - all + # - any + #- name: opensuse + # versions: + # - all + # - 12.1 + # - 12.2 + # - 12.3 + # - 13.1 + # - 13.2 + #- name: Amazon + # versions: + # - all + # - 2013.03 + # - 2013.09 + #- name: GenericBSD + # versions: + # - all + # - any + #- name: FreeBSD + # versions: + # - all + # - 8.0 + # - 8.1 + # - 8.2 + # - 8.3 + # - 8.4 + # - 9.0 + # - 9.1 + # - 9.1 + # - 9.2 + #- name: Ubuntu + # versions: + # - all + # - lucid + # - maverick + # - natty + # - oneiric + # - precise + # - quantal + # - raring + # - saucy + # - trusty + # - utopic + # - vivid + #- name: SLES + # versions: + # - all + # - 10SP3 + # - 10SP4 + # - 11 + # - 11SP1 + # - 11SP2 + # - 11SP3 + #- name: GenericLinux + # versions: + # - all + # - any + #- name: Debian + # versions: + # - all + # - etch + # - jessie + # - lenny + # - squeeze + # - wheezy + # + # Below are all categories currently available. Just as with + # the platforms above, uncomment those that apply to your role. + # + #categories: + #- cloud + #- cloud:ec2 + #- cloud:gce + #- cloud:rax + #- clustering + #- database + #- database:nosql + #- database:sql + #- development + #- monitoring + #- networking + #- packaging + #- system + #- web +dependencies: [] + # List your role dependencies here, one per line. + # Be sure to remove the '[]' above if you add dependencies + # to this list. + diff --git a/roles/docker-distribution/tasks/main.yml b/roles/docker-distribution/tasks/main.yml new file mode 100644 index 0000000000..8216d2f8b7 --- /dev/null +++ b/roles/docker-distribution/tasks/main.yml @@ -0,0 +1,32 @@ +--- +# tasks file for docker-distribution + +- name: install docker-distribution + action: "{{ ansible_pkg_mgr }} name=docker-distribution state=installed" + +- name: start and enable docker-distribution + service: name=docker-distribution state=started enabled=yes + +- name: configure docker-distribution + template: + src: config.yml.j2 + dest: "{{ conf_path }}" + +- name: ensure docker certs dir exists + file: + path: "{{ cert_dir }}" + state: directory + when: tls.enabled == True + +- name: install tls cert for docker + copy: + src: "{{ private }}/{{ cert.private_path }}/{{ cert.src_name }}" + dest: "{{ cert.dir }}/{{ cert.dest_name }}" + when: tls.enabled == True + +- name: install tls key for docker + copy: + src: "{{ private }}/{{ cert.private_path}}/{{ cert.src_key_name }}" + dest: "{{ cert.dir}}/{{ cert.dest_key_name }}" + when: tls.enabled == True + diff --git a/roles/docker-distribution/templates/config.yml.j2 b/roles/docker-distribution/templates/config.yml.j2 new file mode 100644 index 0000000000..c59e5e1eb4 --- /dev/null +++ b/roles/docker-distribution/templates/config.yml.j2 @@ -0,0 +1,16 @@ +version: 0.1 +log: + fields: + service: {{ log.fields.service }} +storage: + cache: + layerinfo: {{ storage.cache.layerinfo }} + filesystem: + rootdirectory: {{ storage.filesystem.rootdirectory }} +http: + addr: {{ http.addr }} + +tls: + certificate: {{ tls.certificate }} + key: {{ tls.key }} + diff --git a/roles/docker-distribution/vars/main.yml b/roles/docker-distribution/vars/main.yml new file mode 100644 index 0000000000..991e69fd60 --- /dev/null +++ b/roles/docker-distribution/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for docker-distribution diff --git a/roles/osbs-atomic-reactor/README.md b/roles/osbs-atomic-reactor/README.md new file mode 100644 index 0000000000..c138eb0a79 --- /dev/null +++ b/roles/osbs-atomic-reactor/README.md @@ -0,0 +1,76 @@ +atomic-reactor +============== + +This role obtains +[atomic-reactor](https://github.com/projectatomic/atomic-reactor) docker image +to be used in [OSBS (OpenShift build +service)](https://github.com/projectatomic/osbs-client). + +This role is part of +[ansible-osbs](https://github.com/projectatomic/ansible-osbs/) playbook for +deploying OpenShift build service. Please refer to that github repository for +[documentation](https://github.com/projectatomic/ansible-osbs/blob/master/README.md) +and [issue tracker](https://github.com/projectatomic/ansible-osbs/issues). + +Role Variables +-------------- + +`atomic_reactor_source` determines the means of obtaining the There are +currently two methods to obtain the image, `pull` and `git`. The `pull` method +simply pulls the image from a given registry. The `git` method builds the image +by running `docker build` on given git repository. + + atomic_reactor_source: pull + +When `atomic_reactor_source` is set to `pull`, you need to provide +`atomic_reactor_pull` dictionary such as the following: + + atomic_reactor_pull: + registry: registry.hub.docker.com + image: slavek/atomic-reactor:latest + +When `atomic_reactor_source` is set to `git`, you need to provide +`atomic_reactor_git` dictionary such as the following: + + atomic_reactor_git: + # base image source to be pulled (optional) + base_registry: registry.hub.docker.com + base_image: library/fedora:latest + # allow retagging the base image to match FROM in Dockerfile (optional) + base_image_retag: fedora:latest + # Dockerfile source + git_url: https://github.com/projectatomic/atomic-reactor.git + git_branch: master + git_subdir: "" + git_local_path: "{{ ansible_env.HOME }}/atomic-reactor-buildroot" + +OSBS expects the build image to be named `buildroot`. This name can be changed +by setting the `atomic_reactor_tag` variable. + + atomic_reactor_tag: buildroot + +Dependencies +------------ + +Docker needs to be installed on the remote host. + +Example Playbook +---------------- + +In default configuration the role pulls the image from +[slavek/atomic-reactor](https://hub.docker.com/r/slavek/atomic-reactor/) +repository on docker hub. + + - hosts: builders + roles: + - atomic-reactor + +License +------- + +BSD + +Author Information +------------------ + +Martin Milata <mmilata@redhat.com> diff --git a/roles/osbs-atomic-reactor/defaults/main.yml b/roles/osbs-atomic-reactor/defaults/main.yml new file mode 100644 index 0000000000..e6e17a9d37 --- /dev/null +++ b/roles/osbs-atomic-reactor/defaults/main.yml @@ -0,0 +1,31 @@ +--- +# OSBS expects the build image to be named buildroot +atomic_reactor_tag: buildroot + +# Method to obtain atomic-reactor image, currently supported are: +# pull - pull the image from a registry +# git - build the image from git repository +# rpm - build the image from the local bundled rpm sources +atomic_reactor_source: rpm + +# Configuration for atomic_reactor_source == pull +atomic_reactor_pull: + registry: registry.hub.docker.com + image: slavek/atomic-reactor:latest + +# Configuration for atomic_reactor_source == git +atomic_reactor_git: + # base image source + base_registry: registry.hub.docker.com + base_image: library/fedora:latest + # allow retagging the base image to match FROM in Dockerfile + base_image_retag: fedora:latest + # Dockerfile source + git_url: https://github.com/projectatomic/atomic-reactor.git + git_branch: master + git_subdir: "" + git_local_path: "{{ ansible_env.HOME }}/atomic-reactor-buildroot" + +atomic_reactor_rpm: + copr: True + buildroot_cmd: atomic-reactor create-build-image --reactor-tarball-path /usr/share/atomic-reactor/atomic-reactor.tar.gz /usr/share/atomic-reactor/images/dockerhost-builder buildroot diff --git a/roles/osbs-atomic-reactor/files/maxamillion-atomic-reactor.repo b/roles/osbs-atomic-reactor/files/maxamillion-atomic-reactor.repo new file mode 100644 index 0000000000..1f5bc7a639 --- /dev/null +++ b/roles/osbs-atomic-reactor/files/maxamillion-atomic-reactor.repo @@ -0,0 +1,8 @@ +[maxamillion-atomic-reactor] +name=Copr repo for atomic-reactor owned by maxamillion +baseurl=https://copr-be.cloud.fedoraproject.org/results/maxamillion/atomic-reactor/fedora-$releasever-$basearch/ +skip_if_unavailable=True +gpgcheck=1 +gpgkey=https://copr-be.cloud.fedoraproject.org/results/maxamillion/atomic-reactor/pubkey.gpg +enabled=1 +enabled_metadata=1 diff --git a/roles/osbs-atomic-reactor/handlers/main.yml b/roles/osbs-atomic-reactor/handlers/main.yml new file mode 100644 index 0000000000..89ac699f9e --- /dev/null +++ b/roles/osbs-atomic-reactor/handlers/main.yml @@ -0,0 +1,3 @@ +--- +- name: rebuild buildroot + shell: {{ atomic_reactor_rpm.buildroot_cmd }} diff --git a/roles/osbs-atomic-reactor/meta/main.yml b/roles/osbs-atomic-reactor/meta/main.yml new file mode 100644 index 0000000000..07dfc72a65 --- /dev/null +++ b/roles/osbs-atomic-reactor/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + author: Martin Milata + description: Pull or build atomic-reactor docker image to be used in OSBS (OpenShift build service). + company: Red Hat + issue_tracker_url: https://github.com/projectatomic/ansible-osbs/issues + license: BSD + min_ansible_version: 1.2 + platforms: + - name: EL + versions: + - 7 + - name: Fedora + versions: + - 21 + - 22 + categories: + - cloud + - development + - packaging +dependencies: [] diff --git a/roles/osbs-atomic-reactor/tasks/main.yml b/roles/osbs-atomic-reactor/tasks/main.yml new file mode 100644 index 0000000000..fc28ff93eb --- /dev/null +++ b/roles/osbs-atomic-reactor/tasks/main.yml @@ -0,0 +1,9 @@ +--- +- include: source_pull.yml + when: atomic_reactor_source == 'pull' + +- include: source_git.yml + when: atomic_reactor_source == 'git' + +- include: source_rpm.yml + when: atomic_reactor_source == 'rpm' diff --git a/roles/osbs-atomic-reactor/tasks/source_git.yml b/roles/osbs-atomic-reactor/tasks/source_git.yml new file mode 100644 index 0000000000..a3940c2334 --- /dev/null +++ b/roles/osbs-atomic-reactor/tasks/source_git.yml @@ -0,0 +1,26 @@ +--- +- name: pull base image + command: docker pull {{ atomic_reactor_git.base_registry }}/{{ atomic_reactor_git.base_image }} + when: atomic_reactor_git.base_image is defined + +- name: tag base image + command: docker tag -f {{ atomic_reactor_git.base_registry }}/{{ atomic_reactor_git.base_image }} {{ atomic_reactor_git.base_image_retag }} + when: atomic_reactor_git.base_image_retag is defined + +- name: pull git repository with Dockerfile + git: + repo: "{{ atomic_reactor_git.git_url }}" + dest: "{{ atomic_reactor_git.git_local_path }}" + version: "{{ atomic_reactor_git.git_branch }}" + accept_hostkey: yes + register: dockerfile_git_repo + +- name: check if atomic-reactor image is present + command: docker inspect {{ atomic_reactor_tag }} + register: image_present + failed_when: image_present.rc != 0 and ('No such image' not in image_present.stderr) + changed_when: image_present.rc != 0 + +- name: build atomic-reactor image + command: docker build --no-cache=true --tag={{ atomic_reactor_tag }} {{ atomic_reactor_git.git_local_path }}/{{ atomic_reactor_git.git_subdir }} + when: dockerfile_git_repo.changed or image_present.changed diff --git a/roles/osbs-atomic-reactor/tasks/source_pull.yml b/roles/osbs-atomic-reactor/tasks/source_pull.yml new file mode 100644 index 0000000000..cdc6cbbddb --- /dev/null +++ b/roles/osbs-atomic-reactor/tasks/source_pull.yml @@ -0,0 +1,8 @@ +--- +- name: pull atomic-reactor image + command: docker pull {{ atomic_reactor_pull.registry }}/{{ atomic_reactor_pull.image }} + register: pull_image + +- name: tag atomic-reactor image + command: docker tag -f {{ atomic_reactor_pull.registry }}/{{ atomic_reactor_pull.image }} {{ atomic_reactor_tag }} + when: pull_image.changed diff --git a/roles/osbs-atomic-reactor/tasks/source_rpm.yml b/roles/osbs-atomic-reactor/tasks/source_rpm.yml new file mode 100644 index 0000000000..ccb48c8700 --- /dev/null +++ b/roles/osbs-atomic-reactor/tasks/source_rpm.yml @@ -0,0 +1,11 @@ +--- +- name: setup COPR repository for atomic-reactor builds + copy: + src: maxamillion-atomic-reactor-fedora.repo + dest: /etc/yum.repos.d/maxamillion-atomic-reactor-fedora.repo + when: atomic_reactor_rpm.copr == True + +- name: install atomic-reactor package locally + action: "{{ ansible_pkg_mgr }} name=atomic-reactor state=latest" + notify: + - rebuild buildroot diff --git a/roles/osbs-client/defaults/main.yml b/roles/osbs-client/defaults/main.yml new file mode 100644 index 0000000000..2106a5add6 --- /dev/null +++ b/roles/osbs-client/defaults/main.yml @@ -0,0 +1,32 @@ +--- +# defaults file for osbs-client +# + +# config file path + +osbs_client_conf_path: /etc/osbs.conf + +# Settings for the [general] section of the osbs.conf file +general: + verbose: 1 + build_json_dir: /usr/share/osbs/ + openshift_required_version: 1.0.8 + +# Settings for the [default] section of the osbs.conf file +default: + openshift_url: https://osbs.localdomain:8443/ + koji_root: http://koji.fedoraproject.org/koji + koji_hub: http://koji.fedoraproject.org/kojihub + sources_command: fedpkg sources + build_type: prod + registry_uri: https://osbs.localdomain:5000/v2 + source_registry_uri: https://osbs.localdomain:5000/v2 + authoritative_registry: registry.example.com + vendor: Fedora Project + build_host: osbs.localdomain + verify_ssl: false + use_auth: false + builder_use_auth: true + distribution_scope: private + registry_api_versions: v2 + builder_openshift_url: https://172.17.0.1:8443/ diff --git a/roles/osbs-client/tasks/main.yml b/roles/osbs-client/tasks/main.yml new file mode 100644 index 0000000000..88e71e038d --- /dev/null +++ b/roles/osbs-client/tasks/main.yml @@ -0,0 +1,9 @@ +--- +# tasks file for osbs-client + +- name: install osbs-client package + action: "{{ ansible_pkg_mgr }} name=osbs-client state=installed" + +- name: apply osbs-client templated config + template: src=osbs.conf.j3 dest={{ osbs_client_conf_path }} + diff --git a/roles/osbs-client/templates/osbs.conf.j2 b/roles/osbs-client/templates/osbs.conf.j2 new file mode 100644 index 0000000000..f94d3deada --- /dev/null +++ b/roles/osbs-client/templates/osbs.conf.j2 @@ -0,0 +1,22 @@ +[general] +verbose= {{ general.verbose }} +build_json_dir = {{ general.build_json_dir }} +openshift_required_version = {{ general.openshift_required_version }} + +[default] +openshift_url = {{ default.openshift_url }} +koji_root = {{ default.koji_root }} +koji_hub = {{ default.koji_hub }} +sources_command = {{ default.sources_command }} +build_type = {{ default.build_type }} +registry_uri = {{ default.registry_uri }} +source_registry_uri = {{ default.source_registry_uri }} +authoritative_registry = {{ default.authoritative_registry }} +vendor = {{ default.vendor }} +build_host = {{ default.build_host }} +verify_ssl = {{ default.verify_ssl }} +use_auth = {{ default.use_auth }} +builder_use_auth = {{ default.builder_use_auth }} +distribution_scope = {{ default.distribution_scope }} +registry_api_versions = {{ default.registry_api_versions }} +builder_openshift_url = {{ default.builder_use_auth }} diff --git a/roles/osbs-common/defaults/main.yml b/roles/osbs-common/defaults/main.yml new file mode 100644 index 0000000000..0436b5c48b --- /dev/null +++ b/roles/osbs-common/defaults/main.yml @@ -0,0 +1,6 @@ +--- +# set hostname of the machine +#hostname: example.org + +# set to false if you don't use firewalld or do not want the playbook to modify it +osbs_manage_firewalld: true diff --git a/roles/osbs-common/tasks/main.yml b/roles/osbs-common/tasks/main.yml new file mode 100644 index 0000000000..bb5bf36451 --- /dev/null +++ b/roles/osbs-common/tasks/main.yml @@ -0,0 +1,37 @@ +--- +- name: set hostname + hostname: name={{ hostname }} + when: hostname is defined + +- name: install basic packages + action: "{{ ansible_pkg_mgr }} name={{ item }} state=installed" + with_items: + - vim + - tmux + - wget + - git + - net-tools + - tree + +- name: install yum-utils when using yum + yum: name=yum-utils state=installed + when: ansible_pkg_mgr == "yum" + +- name: enable rhel7 repos + command: yum-config-manager --enable {{ item }} + with_items: + - rhel-7-server-optional-rpms + - rhel-7-server-extras-rpms + when: ansible_distribution == 'RedHat' and ansible_distribution_major_version == '7' + +- name: enable epel7 + yum: name={{ epel7_url }} state=installed + when: ansible_os_family == 'RedHat' and ansible_distribution_major_version == '7' + +- name: install firewalld + action: "{{ ansible_pkg_mgr }} name=firewalld state=installed" + when: osbs_manage_firewalld + +- name: enable firewalld + service: name=firewalld state=started enabled=yes + when: osbs_manage_firewalld diff --git a/roles/osbs-common/vars/main.yml b/roles/osbs-common/vars/main.yml new file mode 100644 index 0000000000..948958a46b --- /dev/null +++ b/roles/osbs-common/vars/main.yml @@ -0,0 +1,2 @@ +--- +epel7_url: http://download.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm diff --git a/roles/osbs-install-openshift/README.md b/roles/osbs-install-openshift/README.md new file mode 100644 index 0000000000..6a0ec4a21f --- /dev/null +++ b/roles/osbs-install-openshift/README.md @@ -0,0 +1,58 @@ +install-openshift +================= + +Installs OpenShift v3 from various sources. Currently supports installing RPM +from COPR and building and installing the RPM from source code. + +This role is part of +[ansible-osbs](https://github.com/projectatomic/ansible-osbs/) playbook for +deploying OpenShift build service. Please refer to that github repository for +[documentation](https://github.com/projectatomic/ansible-osbs/blob/master/README.md) +and [issue tracker](https://github.com/projectatomic/ansible-osbs/issues). + +Role Variables +-------------- + +You need to specify which method of installation you want to use. Valid options +are `copr` (default) and `source`. + + install_openshift_method: copr + +You must specify particular version that should be installed from the COPR. +Can be in either `version` or `version-release` format. + + install_openshift_copr_version: 1.0.5 + +When building from source, you need to specify the version of the built package. + + install_openshift_source_version: 1.0.5 + +Git commit to build packages from. + + install_openshift_source_commit: c66613fded194b10ce4e4e1c473fbfc0a511405b + +File name of the tarball to be downloaded from github. + + install_openshift_source_archive: openshift-{{ install_openshift_source_commit }}.tar.gz + +Directory for rpmbuild. + + install_openshift_source_rpmbuild_dir: "{{ ansible_env.HOME }}/rpmbuild" + +Example Playbook +---------------- + + - hosts: builders + roles: + - role: install-openshift + install_openshift_method: copr + +License +------- + +BSD + +Author Information +------------------ + +Martin Milata <mmilata@redhat.com> diff --git a/roles/osbs-install-openshift/defaults/main.yml b/roles/osbs-install-openshift/defaults/main.yml new file mode 100644 index 0000000000..fefe12d70e --- /dev/null +++ b/roles/osbs-install-openshift/defaults/main.yml @@ -0,0 +1,26 @@ +--- +# methods: copr, source +install_openshift_method: copr + +# copr-specific variables + +# specify particular version that should be installed from copr +# can be either VERSION or VERSION-RELEASE +install_openshift_copr_version: 1.0.8 + +# variables for source build + +# version of the built package +install_openshift_source_version: 1.0.5 + +# git commit to build package from +install_openshift_source_commit: c66613fded194b10ce4e4e1c473fbfc0a511405b + +# name of the tarball to download from github +install_openshift_source_archive: openshift-{{ install_openshift_source_commit }}.tar.gz + +# rpmbuild directory +install_openshift_source_rpmbuild_dir: "{{ ansible_env.HOME }}/rpmbuild" + +# update package from copr to the latest version? +osbs_update_packages: false diff --git a/roles/osbs-install-openshift/meta/.galaxy_install_info b/roles/osbs-install-openshift/meta/.galaxy_install_info new file mode 100644 index 0000000000..14182b0644 --- /dev/null +++ b/roles/osbs-install-openshift/meta/.galaxy_install_info @@ -0,0 +1 @@ +{install_date: 'Thu Jan 7 17:30:46 2016', version: master} diff --git a/roles/osbs-install-openshift/meta/main.yml b/roles/osbs-install-openshift/meta/main.yml new file mode 100644 index 0000000000..b55db33f88 --- /dev/null +++ b/roles/osbs-install-openshift/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + author: Martin Milata + description: Install OpenShift v3 from various sources + company: Red Hat + issue_tracker_url: https://github.com/projectatomic/ansible-osbs/issues + license: BSD + min_ansible_version: 1.2 + platforms: + - name: EL + versions: + - 7 + - name: Fedora + versions: + - 21 + - 22 + categories: + - cloud + - development + - packaging +dependencies: [] diff --git a/roles/osbs-install-openshift/tasks/main.yml b/roles/osbs-install-openshift/tasks/main.yml new file mode 100644 index 0000000000..2bcd73c73d --- /dev/null +++ b/roles/osbs-install-openshift/tasks/main.yml @@ -0,0 +1,6 @@ +--- +- include: method_copr.yml + when: install_openshift_method == 'copr' + +- include: method_source.yml + when: install_openshift_method == 'source' diff --git a/roles/osbs-install-openshift/tasks/method_copr.yml b/roles/osbs-install-openshift/tasks/method_copr.yml new file mode 100644 index 0000000000..a75b72d6aa --- /dev/null +++ b/roles/osbs-install-openshift/tasks/method_copr.yml @@ -0,0 +1,11 @@ +--- +- name: setup repository + template: + src: maxamillion-fedora-openshift.repo.j2 + dest: /etc/yum.repos.d/maxamillion-fedora-openshift.repo + +- name: install openshift + action: "{{ ansible_pkg_mgr }} name={{ item }} state={{ osbs_update_packages | ternary('latest', 'present') }}" + with_items: + - origin-master + - origin-node diff --git a/roles/osbs-install-openshift/tasks/method_source.yml b/roles/osbs-install-openshift/tasks/method_source.yml new file mode 100644 index 0000000000..d07f166722 --- /dev/null +++ b/roles/osbs-install-openshift/tasks/method_source.yml @@ -0,0 +1,58 @@ +--- +- name: install build packages + action: "{{ ansible_pkg_mgr }} name={{ item }} state=installed" + with_items: + - rpm-build + - rpmdevtools + +- name: install build packages + yum: name=yum-utils state=installed + when: ansible_pkg_mgr == "yum" + +- name: delete rpmbuild directories + file: path={{ install_openshift_source_rpmbuild_dir }}/{{ item }}/ state=absent + with_items: + - RPMS + - SRPMS + - BUILD + - BUILDROOT + +- name: create rpmbuild directories + file: path={{ install_openshift_source_rpmbuild_dir }}/{{ item }}/ state=directory recurse=yes + with_items: + - SPECS + - SOURCES + +- name: upload SPEC + template: src=openshift.spec.j2 dest={{ install_openshift_source_rpmbuild_dir }}/SPECS/openshift.spec + +- name: install build dependencies + command: yum-builddep -y {{ install_openshift_source_rpmbuild_dir }}/SPECS/openshift.spec + when: ansible_pkg_mgr == "yum" + +- name: install build dependencies + command: dnf builddep -y {{ install_openshift_source_rpmbuild_dir }}/SPECS/openshift.spec + when: ansible_pkg_mgr == "dnf" + +- name: download openshift tarball + get_url: + url: https://github.com/openshift/origin/archive/{{ install_openshift_source_commit }}/{{ install_openshift_source_archive }} + dest: "{{ install_openshift_source_rpmbuild_dir }}/SOURCES/{{ install_openshift_source_archive }}" + +- name: run build + command: rpmbuild -bb --clean {{ install_openshift_source_rpmbuild_dir }}/SPECS/openshift.spec + +- name: find the RPMs + command: find {{ install_openshift_source_rpmbuild_dir }}/RPMS/ -type f + register: find_rpms + +- name: install the RPMs + shell: yum -y localinstall {{ install_openshift_source_rpmbuild_dir }}/RPMS/x86_64/*openshift*.rpm + when: ansible_pkg_mgr == "yum" + +- name: install the RPMs + shell: dnf -y install {{ install_openshift_source_rpmbuild_dir }}/RPMS/x86_64/*openshift*.rpm + when: ansible_pkg_mgr == "dnf" + +- name: link /etc/openshift to /etc/origin + file: path=/etc/openshift src=/etc/origin state=link diff --git a/roles/osbs-install-openshift/templates/maxamillion-fedora-openshift.repo.j2 b/roles/osbs-install-openshift/templates/maxamillion-fedora-openshift.repo.j2 new file mode 100644 index 0000000000..c78dafd9cc --- /dev/null +++ b/roles/osbs-install-openshift/templates/maxamillion-fedora-openshift.repo.j2 @@ -0,0 +1,8 @@ +[maxamillion-fedora-openshift] +name=Copr repo for fedora-openshift owned by maxamillion +baseurl=https://copr-be.cloud.fedoraproject.org/results/maxamillion/fedora-openshift/{{ (ansible_distribution == "Fedora") | ternary("fedora", "epel") }}-{{ ansible_distribution_major_version }}-$basearch/ +skip_if_unavailable=True +gpgcheck=1 +gpgkey=https://copr-be.cloud.fedoraproject.org/results/maxamillion/fedora-openshift/pubkey.gpg +enabled=1 + diff --git a/roles/osbs-install-openshift/templates/openshift.spec.j2 b/roles/osbs-install-openshift/templates/openshift.spec.j2 new file mode 100644 index 0000000000..31eabb7712 --- /dev/null +++ b/roles/osbs-install-openshift/templates/openshift.spec.j2 @@ -0,0 +1,337 @@ +#debuginfo not supported with Go +%global debug_package %{nil} +%global gopath %{_datadir}/gocode +%global import_path github.com/openshift/origin +%global kube_plugin_path /usr/libexec/kubernetes/kubelet-plugins/net/exec/redhat~openshift-ovs-subnet +%global sdn_import_path github.com/openshift/openshift-sdn + +# docker_version is the version of docker requires by packages +%global docker_verison 1.6.2 +# tuned_version is the version of tuned requires by packages +%global tuned_version 2.3 +# openvswitch_version is the version of openvswitch requires by packages +%global openvswitch_version 2.3.1 +# %commit and %ldflags are intended to be set by tito custom builders provided +# in the rel-eng directory. The values in this spec file will not be kept up to date. +%{!?commit: +%global commit {{ openshift_commit }} +} +%global shortcommit %(c=%{commit}; echo ${c:0:7}) +# OpenShift specific ldflags from hack/common.sh os::build:ldflags +%{!?ldflags: +%global ldflags -X github.com/openshift/origin/pkg/version.majorFromGit 1 -X github.com/openshift/origin/pkg/version.minorFromGit 0+ -X github.com/openshift/origin/pkg/version.versionFromGit v1.0.4-366-gc66613f-dirty -X github.com/openshift/origin/pkg/version.commitFromGit {{ openshift_commit | truncate(7, True, '') }} -X k8s.io/kubernetes/pkg/version.gitCommit 44c91b1 -X k8s.io/kubernetes/pkg/version.gitVersion v1.1.0-alpha.0-1605-g44c91b1 +} + +Name: openshift +# Version is not kept up to date and is intended to be set by tito custom +# builders provided in the rel-eng directory of this project +Version: {{ openshift_version }} +Release: 0%{?dist} +Summary: Open Source Platform as a Service by Red Hat +License: ASL 2.0 +URL: https://%{import_path} +ExclusiveArch: x86_64 +Source0: https://%{import_path}/archive/%{commit}/%{name}-%{commit}.tar.gz + +BuildRequires: systemd +BuildRequires: golang >= 1.4 + + +%description +%{summary} + +%package master +Summary: OpenShift Master +Requires: %{name} = %{version}-%{release} +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd + +%description master +%{summary} + +%package node +Summary: OpenShift Node +Requires: %{name} = %{version}-%{release} +Requires: docker-io >= %{docker_version} +Requires: tuned-profiles-%{name}-node +Requires: util-linux +Requires: socat +Requires: nfs-utils +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd + +%description node +%{summary} + +%package -n tuned-profiles-%{name}-node +Summary: Tuned profiles for OpenShift Node hosts +Requires: tuned >= %{tuned_version} +Requires: %{name} = %{version}-%{release} + +%description -n tuned-profiles-%{name}-node +%{summary} + +%package clients +Summary: Openshift Client binaries for Linux, Mac OSX, and Windows +BuildRequires: golang-pkg-darwin-amd64 +BuildRequires: golang-pkg-windows-386 + +%description clients +%{summary} + +%package dockerregistry +Summary: Docker Registry v2 for OpenShift +Requires: %{name} = %{version}-%{release} + +%description dockerregistry +%{summary} + +%package pod +Summary: OpenShift Pod +Requires: %{name} = %{version}-%{release} + +%description pod +%{summary} + +%prep +%setup -qn origin-%{commit} + +%build + +# Don't judge me for this ... it's so bad. +mkdir _build + +# Horrid hack because golang loves to just bundle everything +pushd _build + mkdir -p src/github.com/openshift + ln -s $(dirs +1 -l) src/%{import_path} +popd + + +# Gaming the GOPATH to include the third party bundled libs at build +# time. This is bad and I feel bad. +mkdir _thirdpartyhacks +pushd _thirdpartyhacks + ln -s \ + $(dirs +1 -l)/Godeps/_workspace/src/ \ + src +popd +export GOPATH=$(pwd)/_build:$(pwd)/_thirdpartyhacks:%{buildroot}%{gopath}:%{gopath} +# Build all linux components we care about +for cmd in openshift dockerregistry +do + go install -ldflags "%{ldflags}" %{import_path}/cmd/${cmd} +done + +# Build only 'openshift' for other platforms +GOOS=windows GOARCH=386 go install -ldflags "%{ldflags}" %{import_path}/cmd/openshift +GOOS=darwin GOARCH=amd64 go install -ldflags "%{ldflags}" %{import_path}/cmd/openshift + +#Build our pod +pushd images/pod/ + go build -ldflags "%{ldflags}" pod.go +popd + +%install + +install -d %{buildroot}%{_bindir} + +# Install linux components +for bin in openshift dockerregistry +do + echo "+++ INSTALLING ${bin}" + install -p -m 755 _build/bin/${bin} %{buildroot}%{_bindir}/${bin} +done +# Install 'openshift' as client executable for windows and mac +for pkgname in openshift +do + install -d %{buildroot}%{_datadir}/${pkgname}/{linux,macosx,windows} + install -p -m 755 _build/bin/openshift %{buildroot}%{_datadir}/${pkgname}/linux/oc + install -p -m 755 _build/bin/darwin_amd64/openshift %{buildroot}%{_datadir}/${pkgname}/macosx/oc + install -p -m 755 _build/bin/windows_386/openshift.exe %{buildroot}%{_datadir}/${pkgname}/windows/oc.exe +done + +#Install openshift pod +install -p -m 755 images/pod/pod %{buildroot}%{_bindir}/ + +install -d -m 0755 %{buildroot}%{_unitdir} + +mkdir -p %{buildroot}%{_sysconfdir}/sysconfig + +for cmd in oc oadm; do + ln -s %{_bindir}/%{name} %{buildroot}%{_bindir}/$cmd +done +ln -s %{_bindir}/%{name} %{buildroot}%{_bindir}/kubectl + +install -d -m 0755 %{buildroot}%{_sysconfdir}/origin/{master,node} + +for pkgname in openshift +do + install -m 0644 rel-eng/${pkgname}-master.service %{buildroot}%{_unitdir}/${pkgname}-master.service + install -m 0644 rel-eng/${pkgname}-node.service %{buildroot}%{_unitdir}/${pkgname}-node.service + + install -m 0644 rel-eng/${pkgname}-master.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/${pkgname}-master + install -m 0644 rel-eng/${pkgname}-node.sysconfig %{buildroot}%{_sysconfdir}/sysconfig/${pkgname}-node + install -d -m 0755 %{buildroot}%{_prefix}/lib/tuned/${pkgname}-node-{guest,host} + install -m 0644 tuned/%{name}-node-guest/tuned.conf %{buildroot}%{_prefix}/lib/tuned/${pkgname}-node-guest/tuned.conf + install -m 0644 tuned/%{name}-node-host/tuned.conf %{buildroot}%{_prefix}/lib/tuned/${pkgname}-node-host/tuned.conf + install -d -m 0755 %{buildroot}%{_mandir}/man7 + install -m 0644 tuned/man/tuned-profiles-%{name}-node.7 %{buildroot}%{_mandir}/man7/tuned-profiles-${pkgname}-node.7 + +done + +mkdir -p %{buildroot}%{_sharedstatedir}/%{name} +mkdir -p %{buildroot}%{_sharedstatedir}/origin + + +# Install bash completions +install -d -m 755 %{buildroot}%{_sysconfdir}/bash_completion.d/ +install -p -m 644 rel-eng/completions/bash/* %{buildroot}%{_sysconfdir}/bash_completion.d/ + +%files +%defattr(-,root,root,-) +%doc README.md LICENSE +%{_bindir}/openshift +%{_bindir}/oc +%{_bindir}/oadm +%{_bindir}/kubectl +%{_sharedstatedir}/%{name} +%{_sysconfdir}/bash_completion.d/* +%dir %config(noreplace) %{_sysconfdir}/origin + +%pre +# If /etc/openshift exists symlink it to /etc/origin +if [ -d "%{_sysconfdir}/openshift" ]; then + ln -s %{_sysconfdir}/openshift %{_sysconfdir}/origin +fi + +%files master +%defattr(-,root,root,-) +%{_unitdir}/%{name}-master.service +%config(noreplace) %{_sysconfdir}/sysconfig/%{name}-master +%config(noreplace) /etc/origin/master + +%post master +%systemd_post %{basename:openshift-master.service} + +%preun master +%systemd_preun %{basename:openshift-master.service} + +%postun master +%systemd_postun + +%files node +%defattr(-,root,root,-) +%{_unitdir}/%{name}-node.service +%config(noreplace) %{_sysconfdir}/sysconfig/%{name}-node +%config(noreplace) /etc/origin/node + +%post node +%systemd_post %{basename:openshift-node.service} + +%preun node +%systemd_preun %{basename:openshift-node.service} + +%postun node +%systemd_postun + +%files -n tuned-profiles-openshift-node +%defattr(-,root,root,-) +%{_prefix}/lib/tuned/openshift-node-host +%{_prefix}/lib/tuned/openshift-node-guest +%{_mandir}/man7/tuned-profiles-openshift-node.7* + +%post -n tuned-profiles-openshift-node +recommended=`/usr/sbin/tuned-adm recommend` +if [[ "${recommended}" =~ guest ]] ; then + /usr/sbin/tuned-adm profile openshift-node-guest > /dev/null 2>&1 +else + /usr/sbin/tuned-adm profile openshift-node-host > /dev/null 2>&1 +fi + +%preun -n tuned-profiles-openshift-node +# reset the tuned profile to the recommended profile +# $1 = 0 when we're being removed > 0 during upgrades +if [ "$1" = 0 ]; then + recommended=`/usr/sbin/tuned-adm recommend` + /usr/sbin/tuned-adm profile $recommended > /dev/null 2>&1 +fi + +%files clients +%{_datadir}/%{name}/linux/oc +%{_datadir}/%{name}/macosx/oc +%{_datadir}/%{name}/windows/oc.exe + +%files dockerregistry +%defattr(-,root,root,-) +%{_bindir}/dockerregistry + +%files pod +%defattr(-,root,root,-) +%{_bindir}/pod + +%changelog +* Wed Aug 19 2015 Martin Milata 0.2-9.ansible-osbs +- Modified for ansible-osbs + +* Wed Aug 12 2015 Steve Milner 0.2-8 +- Master configs will be generated if none are found. +- Node configs will be generated if none are found and master is installed. +- All-In-One services removed. + +* Wed Aug 12 2015 Steve Milner 0.2-7 +- Added new ovs script(s) to file lists. + +* Wed Aug 5 2015 Steve Milner 0.2-6 +- Using _unitdir instead of _prefix for unit data + +* Fri Jul 31 2015 Steve Milner 0.2-5 +- Configuration location now /etc/origin +- Default configs created upon installation + +* Tue Jul 28 2015 Steve Milner 0.2-4 +- Added AEP packages + +* Mon Jan 26 2015 Scott Dodson 0.2-3 +- Update to 21fb40637c4e3507cca1fcab6c4d56b06950a149 +- Split packaging of openshift-master and openshift-node + +* Mon Jan 19 2015 Scott Dodson 0.2-2 +- new package built with tito + +* Fri Jan 09 2015 Adam Miller - 0.2-2 +- Add symlink for osc command line tooling (merged in from jhonce@redhat.com) + +* Wed Jan 07 2015 Adam Miller - 0.2-1 +- Update to latest upstream release +- Restructured some of the golang deps build setup for restructuring done + upstream + +* Thu Oct 23 2014 Adam Miller - 0-0.0.9.git562842e +- Add new patches from jhonce for systemd units + +* Mon Oct 20 2014 Adam Miller - 0-0.0.8.git562842e +- Update to latest master snapshot + +* Wed Oct 15 2014 Adam Miller - 0-0.0.7.git7872f0f +- Update to latest master snapshot + +* Fri Oct 03 2014 Adam Miller - 0-0.0.6.gite4d4ecf +- Update to latest Alpha nightly build tag 20141003 + +* Wed Oct 01 2014 Adam Miller - 0-0.0.5.git6d9f1a9 +- Switch to consistent naming, patch by jhonce + +* Tue Sep 30 2014 Adam Miller - 0-0.0.4.git6d9f1a9 +- Add systemd and sysconfig entries from jhonce + +* Tue Sep 23 2014 Adam Miller - 0-0.0.3.git6d9f1a9 +- Update to latest upstream. + +* Mon Sep 15 2014 Adam Miller - 0-0.0.2.git2647df5 +- Update to latest upstream. + +* Thu Aug 14 2014 Adam Miller - 0-0.0.1.gitc3839b8 +- First package diff --git a/roles/osbs-master/README.md b/roles/osbs-master/README.md new file mode 100644 index 0000000000..455ff8fc20 --- /dev/null +++ b/roles/osbs-master/README.md @@ -0,0 +1,147 @@ +osbs-master +=========== + +Main role for deploying OSBS - [OpenShift build +service](https://github.com/projectatomic/osbs-client/), service for building +layered Docker images. + +It performs the necessary configuration of Docker and OpenShift and optionally +opens/closes OpenShift firewall port. It also generates self-signed certificate +that can be used by reverse proxy placed in front of the builder. + +This role is part of +[ansible-osbs](https://github.com/projectatomic/ansible-osbs/) playbook for +deploying OpenShift build service. Please refer to that github repository for +[documentation](https://github.com/projectatomic/ansible-osbs/blob/master/README.md) +and [issue tracker](https://github.com/projectatomic/ansible-osbs/issues). + +Role Variables +-------------- + +You may need to configure Docker to connect to registries over plain HTTP, or +HTTPS with self-signed certificate (especially when developing OSBS). You can +provide list of such registries in `osbs_docker_insecure_registries` (empty by +default). + + osbs_docker_insecure_registries: [] + +Expose the OpenShift port to the outside world? Set this to `false` when using +authenticating proxy on the localhost. Has no effect if `osbs_manage_firewalld` +is `false`. + + osbs_master_expose_port: true + +Set to false if you don't use firewalld or do not want the playbook to modify +it. + + osbs_manage_firewalld: true + +If you are using authenticating proxy, this role can generate a self-signed certificate that the proxy can use to authenticate itself to OpenShift. The proxy needs the certificate and the key concatenated in one file (`osbs_proxy_cert_file`). OpenShift needs to know the CA of the certificate, which is configured in `osbs_proxy_ca_file` and which is the same as the certificate because it is self-signed. + + osbs_proxy_cert_file: /etc/origin/proxy_selfsigned.crt + osbs_proxy_key_file: /etc/origin/proxy_selfsigned.key + osbs_proxy_certkey_file: /etc/httpd/openshift_proxy_certkey.crt + osbs_proxy_ca_file: /etc/origin/proxy_selfsigned.crt + +OpenShift authorization policy - which users should be assigned the view +(read-only), osbs-builder (read-write), and cluster-admin (admin) roles. In +default configuration, everyone has read/write access. The authentication is +handled by the proxy - if you are not using it the everyone connecting from the +outside belongs to the `system:unauthenticated` group. + +Default setup: + + osbs_readonly_users: [] + osbs_readonly_groups: [] + osbs_readwrite_users: [] + osbs_readwrite_groups: + - system:authenticated + - system:unauthenticated + osbs_admin_users: [] + osbs_admin_groups: [] + +Development with authenticating proxy: + + osbs_readonly_users: [] + osbs_readonly_groups: [] + osbs_readwrite_users: [] + osbs_readwrite_groups: + - system:authenticated + osbs_admin_users: [] + osbs_admin_groups: [] + +Example production configuration with only one user starting the builds: + + osbs_readonly_users: [] + osbs_readonly_groups: + - system:authenticated + osbs_readwrite_groups: [] + osbs_readwrite_users: + - kojibuilder + osbs_admin_users: + - foo@EXAMPLE.COM + - bar@EXAMPLE.COM + osbs_admin_groups: [] + +Limit on the number of running pods. + + osbs_master_max_pods: 3 + +Dependencies +------------ + +OpenShift is expected to be installed on the remote host. This can by +accomplished by the +[install-openshift](https://github.com/projectatomic/ansible-role-install-openshift) +role. + +Example Playbook +---------------- + +Simple development deployment: + + - hosts: builders + roles: + - install-openshift + - osbs-master + - atomic-reactor + +Deployment behind authentication proxy that only allows the *kojibuilder* user +to start builds (and everyone to view them). Set docker to trust registry on +localhost:5000 even though it uses HTTP. + + - hosts: builders + roles: + - install-openshift + - role: osbs-master + osbs_master_expose_port: false + osbs_docker_insecure_registries: [172.42.17.1:5000] + osbs_readonly_users: [] + osbs_readonly_groups: + - system:authenticated + - system:unauthenticated + osbs_readwrite_groups: [] + osbs_readwrite_users: + - kojibuilder + osbs_admin_users: [] + osbs_admin_groups: [] + - atomic-reactor + - role: osbs-proxy + osbs_proxy_type: kerberos + osbs_proxy_kerberos_keytab_file: /etc/HTTP-FQDN.EXAMPLE.COM.keytab + osbs_proxy_kerberos_realm: EXAMPLE.COM + osbs_proxy_ssl_cert_file: /etc/fqdn.example.com.crt + osbs_proxy_ssl_key_file: /etc/fqdn.example.com.key + osbs_proxy_ip_whitelist: + - subnet: 192.168.66.0/24 + user: kojibuilder + +License +------- + +BSD + +Author Information +------------------ + +Martin Milata <mmilata@redhat.com> diff --git a/roles/osbs-master/defaults/main.yml b/roles/osbs-master/defaults/main.yml new file mode 100644 index 0000000000..f898018b90 --- /dev/null +++ b/roles/osbs-master/defaults/main.yml @@ -0,0 +1,71 @@ +--- +# docker needs to know which registries are insecure +osbs_docker_insecure_registries: [] + +# Expose the OpenShift port to the outside world? Set this to false when using +# authenticating proxy on the localhost. Has no effect if osbs_manage_firewalld +# is false. +osbs_master_expose_port: true + +# set to false if you don't use firewalld or do not want the playbook to modify it +osbs_manage_firewalld: true + +# these will be generated for proxy so it can authenticate itself +osbs_proxy_cert_file: /etc/origin/proxy_selfsigned.crt +osbs_proxy_key_file: /etc/origin/proxy_selfsigned.key +osbs_proxy_certkey_file: /etc/origin/proxy_certkey.crt + +# CA cert to validate the proxy certificate against +osbs_proxy_ca_file: /etc/origin/proxy_selfsigned.crt + +# openshift authorization - which users should be assigned the view (readonly), +# osbs-builder (readwrite), and cluster-admin (admin) roles +# in default configuration, everyone has read/write access +osbs_readonly_users: [] +osbs_readonly_groups: [] +osbs_readwrite_users: [] +osbs_readwrite_groups: + - system:authenticated + - system:unauthenticated +osbs_admin_users: [] +osbs_admin_groups: [] + +## development w/ auth proxy: +#osbs_readonly_users: [] +#osbs_readonly_groups: [] +#osbs_readwrite_users: [] +#osbs_readwrite_groups: +# - system:authenticated +#osbs_admin_users: [] +#osbs_admin_groups: [] + +## example production configuration: +#osbs_readonly_users: [] +#osbs_readonly_groups: +# - system:authenticated +#osbs_readwrite_groups: [] +#osbs_readwrite_users: +# - kojibuilder +# - "{{ ansible_hostname }}" +# - system:serviceaccount:default:default +#osbs_admin_users: +# - foo@EXAMPLE.COM +# - bar@EXAMPLE.COM +#osbs_admin_groups: [] + +# limit on the number of running pods +osbs_master_max_pods: 3 + +# update packagages to their latest version? +osbs_update_packages: false + +# directory for exporting v1 images to koji +# if not defined, nothing will happen +#osbs_export_dir: /mnt/image-export + +# mount the image export directory +#osbs_export_mount_src: /dev/vda1 +#osbs_export_mount_fs: ext4 + +# configure httpd to publish the directory under following path of default vhost +#osbs_export_http_path: /image-export diff --git a/roles/osbs-master/files/openshift-role-osbs-builder.yml b/roles/osbs-master/files/openshift-role-osbs-builder.yml new file mode 100644 index 0000000000..5ef00af437 --- /dev/null +++ b/roles/osbs-master/files/openshift-role-osbs-builder.yml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: ClusterRole +metadata: + name: osbs-builder +rules: +- attributeRestrictions: null + resources: + - builds/custom + - pods/exec + - pods/portforward + - pods/proxy + - resourcegroup:exposedkube + - resourcegroup:exposedopenshift + - secrets + verbs: + - create + - delete + - get + - list + - update + - watch +- attributeRestrictions: null + resources: + - resourcegroup:allkube + - resourcegroup:allkube-status + - resourcegroup:allopenshift-status + verbs: + - get + - list + - watch +- attributeRestrictions: null + resources: + - imagestreams/layers + verbs: + - get + - update diff --git a/roles/osbs-master/files/sysconfig-origin-master b/roles/osbs-master/files/sysconfig-origin-master new file mode 100644 index 0000000000..86f61888f5 --- /dev/null +++ b/roles/osbs-master/files/sysconfig-origin-master @@ -0,0 +1,9 @@ +OPTIONS="--loglevel=3" +CONFIG_FILE=/etc/origin/master/master-config.yaml + +# Proxy configuration +# Origin uses standard HTTP_PROXY environment variables. Be sure to set +# NO_PROXY for your master +#NO_PROXY=master.example.com +#HTTP_PROXY=http://USER:PASSWORD@IPADDR:PORT +#HTTPS_PROXY=https://USER:PASSWORD@IPADDR:PORT diff --git a/roles/osbs-master/files/sysconfig-origin-node b/roles/osbs-master/files/sysconfig-origin-node new file mode 100644 index 0000000000..886fc79bc3 --- /dev/null +++ b/roles/osbs-master/files/sysconfig-origin-node @@ -0,0 +1,22 @@ +OPTIONS="--loglevel=3" +# /etc/origin/node/ should contain the entire contents of +# /var/lib/origin.local.certificates/node-${node-fqdn} generated by +# running 'atomic-enterprise admin create-node-config' on your master +# +# If if your node is running on a separate host you can rsync the contents +# rsync -a root@atomic-enterprise-master:/var/lib/origin/origin.local.certificates/node-`hostname`/ /etc/origin/node +CONFIG_FILE=/etc/origin/node/node-config.yaml + +# The $DOCKER_NETWORK_OPTIONS variable is used by sdn plugins to set +# $DOCKER_NETWORK_OPTIONS variable in the /etc/sysconfig/docker-network +# Most plugins include their own defaults within the scripts +# TODO: More elegant solution like this +# https://github.com/coreos/flannel/blob/master/dist/mk-docker-opts.sh +# DOCKER_NETWORK_OPTIONS='-b=lbr0 --mtu=1450' + +# Proxy configuration +# Origin uses standard HTTP_PROXY environment variables. Be sure to set +# NO_PROXY for your master +#NO_PROXY=master.example.com +#HTTP_PROXY=http://USER:PASSWORD@IPADDR:PORT +#HTTPS_PROXY=https://USER:PASSWORD@IPADDR:PORT diff --git a/roles/osbs-master/handlers/main.yml b/roles/osbs-master/handlers/main.yml new file mode 100644 index 0000000000..9c61eb05d7 --- /dev/null +++ b/roles/osbs-master/handlers/main.yml @@ -0,0 +1,12 @@ +--- +- name: restart docker + service: name=docker state=restarted + +- name: restart openshift-master + service: name=origin-master state=restarted + +- name: restart openshift-node + service: name=origin-node state=restarted + +- name: restart httpd + service: name=httpd state=restarted diff --git a/roles/osbs-master/meta/.galaxy_install_info b/roles/osbs-master/meta/.galaxy_install_info new file mode 100644 index 0000000000..14182b0644 --- /dev/null +++ b/roles/osbs-master/meta/.galaxy_install_info @@ -0,0 +1 @@ +{install_date: 'Thu Jan 7 17:30:46 2016', version: master} diff --git a/roles/osbs-master/meta/main.yml b/roles/osbs-master/meta/main.yml new file mode 100644 index 0000000000..f6019c9b47 --- /dev/null +++ b/roles/osbs-master/meta/main.yml @@ -0,0 +1,21 @@ +--- +galaxy_info: + author: Martin Milata + description: OpenShift build service - builder of layered Docker images + company: Red Hat + issue_tracker_url: https://github.com/projectatomic/ansible-osbs/issues + license: BSD + min_ansible_version: 1.9 + platforms: + - name: EL + versions: + - 7 + - name: Fedora + versions: + - 21 + - 22 + categories: + - cloud + - development + - packaging +dependencies: [] diff --git a/roles/osbs-master/tasks/export.yml b/roles/osbs-master/tasks/export.yml new file mode 100644 index 0000000000..2a68edd372 --- /dev/null +++ b/roles/osbs-master/tasks/export.yml @@ -0,0 +1,45 @@ +--- +- name: mount the export directory + mount: + name: "{{ osbs_export_dir }}" + src: "{{ osbs_export_mount_src }}" + fstype: "{{ osbs_export_mount_fs }}" + state: mounted + when: osbs_export_mount_src is defined + +- name: set owner of the image export directory + file: + path: "{{ osbs_export_dir }}" + state: directory + owner: apache + group: apache + when: osbs_export_http_path is defined + +- name: configure selinux labels for image export directory + command: semanage fcontext --add --type httpd_sys_content_t "{{ osbs_export_dir }}(/.*)?" + when: osbs_export_http_path is defined + +- name: restore selinux labels for image export directory + file: + path: "{{ osbs_export_dir }}" + state: directory + setype: httpd_sys_content_t + recurse: yes + when: osbs_export_http_path is defined + +- name: export the mount directory via http + template: src=httpd-osbs_image_export.conf.j2 dest={{ osbs_export_http_conf }} + notify: + - restart httpd + when: osbs_export_http_path is defined + +- name: open http ports + firewalld: + service: "{{ item }}" + state: enabled + permanent: true + immediate: true + with_items: + - http + - https + when: osbs_export_http_path is defined and osbs_manage_firewalld diff --git a/roles/osbs-master/tasks/main.yml b/roles/osbs-master/tasks/main.yml new file mode 100644 index 0000000000..dbb0127aa2 --- /dev/null +++ b/roles/osbs-master/tasks/main.yml @@ -0,0 +1,115 @@ +--- +### docker service ### + +- name: install packages required by osbs + action: "{{ ansible_pkg_mgr }} name=docker state={{ osbs_update_packages | ternary('latest', 'present') }}" + +- name: configure docker + template: src=sysconfig-docker.j2 dest=/etc/sysconfig/docker backup=yes + notify: restart docker + +- name: ensure docker is running + service: name=docker state=started enabled=yes + +### openshift service ### + +- name: open/close openshift port in the firewall + firewalld: + port: "{{ osbs_openshift_port }}/tcp" + state: "{{ osbs_master_expose_port | ternary('enabled', 'disabled') }}" + permanent: true + immediate: true + when: osbs_manage_firewalld + +- name: apply modifications to /etc/sysconfig/origin + copy: src=sysconfig-origin-{{ item }} dest=/etc/sysconfig/origin-{{ item }} + with_items: + - master + - node + +- name: configure openshift master + template: src=master-config.yaml.j2 dest=/etc/origin/master/master-config.yaml + notify: restart openshift-master + +- name: configure openshift node + template: src=node-config.yaml.j2 dest=/etc/origin/node/node-config.yaml + notify: restart openshift-node + +- name: generate cert for authenticating proxy - self-signed certificate + command: > + openssl req -new -nodes -x509 + -subj "/C=CZ/ST=SelfSigned/L=SelfSigned/O=IT/CN={{ ansible_fqdn }}" + -days 3650 + -keyout {{ osbs_proxy_key_file }} + -out {{ osbs_proxy_cert_file }} + -extensions v3_ca + args: + creates: "{{ osbs_proxy_cert_file }}" + register: auth_proxy_cert + +- name: generate cert for authenticating proxy - convert privkey to rsa + command: openssl rsa -in {{ osbs_proxy_key_file }} -out {{ osbs_proxy_key_file }} + when: auth_proxy_cert.changed + +- name: generate cert for authenticating proxy - concatenate cert and key + shell: cat {{ osbs_proxy_cert_file }} {{ osbs_proxy_key_file }} > {{ osbs_proxy_certkey_file }} + +# We need to have openshift restarted in order to configure authentication. +- meta: flush_handlers + +- name: ensure openshift is running + service: name=origin-{{ item }} state=started enabled=yes + with_items: + - master + - node + +- name: wait for openshift to start accepting connections + wait_for: port={{ osbs_openshift_port }} timeout=30 + +- name: copy osbs-builder role definition + copy: src=openshift-role-osbs-builder.yml dest={{ osbs_openshift_home }}/role-osbs-builder.yml + +- name: import the osbs-builder role + command: oc replace --force=true --filename={{ osbs_openshift_home }}/role-osbs-builder.yml + environment: osbs_environment + +- name: copy role bindings + template: src=openshift-rolebinding.yml.j2 dest={{ osbs_openshift_home }}/rolebinding-{{ item.name }}.yml + with_items: + - name: osbs-readonly + role: view + users: "{{ osbs_readonly_users }}" + groups: "{{ osbs_readonly_groups }}" + - name: osbs-readwrite + role: osbs-builder + users: "{{ osbs_readwrite_users }}" + groups: "{{ osbs_readwrite_groups }}" + - name: osbs-admin + role: cluster-admin + users: "{{ osbs_admin_users }}" + groups: "{{ osbs_admin_groups }}" + +- name: import the role bindings + command: oc replace --force=true --filename={{ osbs_openshift_home }}/rolebinding-{{ item }}.yml + environment: osbs_environment + with_items: + - osbs-readonly + - osbs-readwrite + - osbs-admin + +- name: copy resource quotas + template: src=openshift-resourcequota.yml.j2 dest={{ osbs_openshift_home }}/resourcequota.yml + +- name: import resource quotas + command: oc replace --force=true --filename={{ osbs_openshift_home }}/resourcequota.yml + environment: osbs_environment + +# Useful when using "oc" to inspect openshift state. +- name: add KUBECONFIG to .bashrc + lineinfile: + dest: "{{ ansible_env.HOME }}/.bashrc" + regexp: "export KUBECONFIG=" + line: "export KUBECONFIG={{ osbs_environment.KUBECONFIG }}" + +- include: export.yml + when: osbs_export_dir is defined diff --git a/roles/osbs-master/templates/httpd-osbs_image_export.conf.j2 b/roles/osbs-master/templates/httpd-osbs_image_export.conf.j2 new file mode 100644 index 0000000000..b0e32772f8 --- /dev/null +++ b/roles/osbs-master/templates/httpd-osbs_image_export.conf.j2 @@ -0,0 +1,11 @@ +# atomic-reactor copies tarballs to this directory (via NFS share) and koji +# downloads it from this place. Garbage collection needs to be done on this +# directory. + +Alias "{{ osbs_export_http_path }}" "{{ osbs_export_dir }}" + + + AllowOverride None + Require all granted + Options +Indexes + diff --git a/roles/osbs-master/templates/master-config.yaml.j2 b/roles/osbs-master/templates/master-config.yaml.j2 new file mode 100644 index 0000000000..a7da1c9594 --- /dev/null +++ b/roles/osbs-master/templates/master-config.yaml.j2 @@ -0,0 +1,154 @@ +apiLevels: +- v1 +apiVersion: v1 +assetConfig: + extensionDevelopment: false + extensionScripts: null + extensionStylesheets: null + extensions: null + loggingPublicURL: "" + logoutURL: "" + masterPublicURL: https://{{ ansible_default_ipv4.address }}:8443 + metricsPublicURL: "" + publicURL: https://{{ ansible_default_ipv4.address }}:8443/console/ + servingInfo: + bindAddress: 0.0.0.0:8443 + bindNetwork: tcp4 + certFile: master.server.crt + clientCA: "" + keyFile: master.server.key + maxRequestsInFlight: 0 + namedCertificates: null + requestTimeoutSeconds: 0 +controllerLeaseTTL: 0 +controllers: '*' +corsAllowedOrigins: +- 127.0.0.1 +- {{ ansible_default_ipv4.address }}:8443 +- localhost +disabledFeatures: null +dnsConfig: + bindAddress: 0.0.0.0:53 + bindNetwork: tcp4 +etcdClientInfo: + ca: ca.crt + certFile: master.etcd-client.crt + keyFile: master.etcd-client.key + urls: + - https://{{ ansible_default_ipv4.address }}:4001 +etcdConfig: + address: {{ ansible_default_ipv4.address }}:4001 + peerAddress: {{ ansible_default_ipv4.address }}:7001 + peerServingInfo: + bindAddress: 0.0.0.0:7001 + bindNetwork: tcp4 + certFile: etcd.server.crt + clientCA: ca.crt + keyFile: etcd.server.key + namedCertificates: null + servingInfo: + bindAddress: 0.0.0.0:4001 + bindNetwork: tcp4 + certFile: etcd.server.crt + clientCA: ca.crt + keyFile: etcd.server.key + namedCertificates: null + storageDirectory: /var/lib/origin/openshift.local.etcd +etcdStorageConfig: + kubernetesStoragePrefix: kubernetes.io + kubernetesStorageVersion: v1 + openShiftStoragePrefix: openshift.io + openShiftStorageVersion: v1 +imageConfig: + format: openshift/origin-${component}:${version} + latest: false +kind: MasterConfig +kubeletClientInfo: + ca: ca.crt + certFile: master.kubelet-client.crt + keyFile: master.kubelet-client.key + port: 10250 +kubernetesMasterConfig: + apiLevels: null + apiServerArguments: null + controllerArguments: null + disabledAPIGroupVersions: {} + masterCount: 1 + masterIP: {{ ansible_default_ipv4.address }} + podEvictionTimeout: 5m + proxyClientInfo: + certFile: master.proxy-client.crt + keyFile: master.proxy-client.key + schedulerConfigFile: "" + servicesNodePortRange: 30000-32767 + servicesSubnet: 172.30.0.0/16 + staticNodeNames: + - {{ ansible_fqdn }} +masterClients: + externalKubernetesKubeConfig: "" + openshiftLoopbackKubeConfig: openshift-master.kubeconfig +masterPublicURL: https://{{ ansible_default_ipv4.address }}:8443 +networkConfig: + clusterNetworkCIDR: 10.1.0.0/16 + hostSubnetLength: 8 + networkPluginName: "" + serviceNetworkCIDR: 172.30.0.0/16 +oauthConfig: + assetPublicURL: https://{{ ansible_default_ipv4.address }}:8443/console/ + grantConfig: + method: auto + identityProviders: + - name: request_header + challenge: false + login: false + provider: + apiVersion: v1 + kind: RequestHeaderIdentityProvider + clientCA: {{ osbs_proxy_ca_file | default('/etc/origin/master/ca.crt') }} + headers: + - X-Remote-User + masterCA: ca.crt + masterPublicURL: https://{{ ansible_default_ipv4.address }}:8443 + masterURL: https://{{ ansible_default_ipv4.address }}:8443 + sessionConfig: + sessionMaxAgeSeconds: 300 + sessionName: ssn + sessionSecretsFile: "" + templates: null + tokenConfig: + accessTokenMaxAgeSeconds: 86400 + authorizeTokenMaxAgeSeconds: 300 +pauseControllers: false +policyConfig: + bootstrapPolicyFile: policy.json + openshiftInfrastructureNamespace: openshift-infra + openshiftSharedResourcesNamespace: openshift +projectConfig: + defaultNodeSelector: "" + projectRequestMessage: "" + projectRequestTemplate: "" + securityAllocator: + mcsAllocatorRange: s0:/2 + mcsLabelsPerProject: 5 + uidAllocatorRange: 1000000000-1999999999/10000 +routingConfig: + subdomain: router.default.svc.cluster.local +serviceAccountConfig: + limitSecretReferences: false + managedNames: + - default + - builder + - deployer + masterCA: ca.crt + privateKeyFile: serviceaccounts.private.key + publicKeyFiles: + - serviceaccounts.public.key +servingInfo: + bindAddress: 0.0.0.0:8443 + bindNetwork: tcp4 + certFile: master.server.crt + clientCA: ca.crt + keyFile: master.server.key + maxRequestsInFlight: 500 + namedCertificates: null + requestTimeoutSeconds: 3600 diff --git a/roles/osbs-master/templates/node-config.yaml.j2 b/roles/osbs-master/templates/node-config.yaml.j2 new file mode 100644 index 0000000000..4632aaf043 --- /dev/null +++ b/roles/osbs-master/templates/node-config.yaml.j2 @@ -0,0 +1,31 @@ +allowDisabledDocker: false +apiVersion: v1 +authConfig: + authenticationCacheSize: 1000 + authenticationCacheTTL: 5m + authorizationCacheSize: 1000 + authorizationCacheTTL: 5m +dnsDomain: cluster.local +dnsIP: "" +dockerConfig: + execHandlerName: native +imageConfig: + format: openshift/origin-${component}:${version} + latest: false +iptablesSyncPeriod: 5s +kind: NodeConfig +masterKubeConfig: node.kubeconfig +networkConfig: + mtu: 1450 + networkPluginName: "" +nodeIP: "" +nodeName: localhost +podManifestConfig: null +servingInfo: + bindAddress: 0.0.0.0:10250 + bindNetwork: tcp4 + certFile: server.crt + clientCA: node-client-ca.crt + keyFile: server.key + namedCertificates: null +volumeDirectory: /var/lib/origin/openshift.local.volumes diff --git a/roles/osbs-master/templates/openshift-resourcequota.yml.j2 b/roles/osbs-master/templates/openshift-resourcequota.yml.j2 new file mode 100644 index 0000000000..cc62a6017f --- /dev/null +++ b/roles/osbs-master/templates/openshift-resourcequota.yml.j2 @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ResourceQuota +metadata: + name: concurrentbuilds +spec: + hard: + pods: {{ osbs_master_max_pods }} diff --git a/roles/osbs-master/templates/openshift-rolebinding.yml.j2 b/roles/osbs-master/templates/openshift-rolebinding.yml.j2 new file mode 100644 index 0000000000..7593580134 --- /dev/null +++ b/roles/osbs-master/templates/openshift-rolebinding.yml.j2 @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: RoleBinding +metadata: + name: {{ item.name }} +roleRef: + name: {{ item.role }} + +{% if item.users == [] %} +userNames: [] +{% else %} +userNames: +{% for u in item.users %} +- {{u}} +{% endfor %} +{% endif %} + +{% if item.groups == [] %} +groupNames: [] +{% else %} +groupNames: +{% for g in item.groups %} +- {{g}} +{% endfor %} +{% endif %} diff --git a/roles/osbs-master/templates/sysconfig-docker.j2 b/roles/osbs-master/templates/sysconfig-docker.j2 new file mode 100644 index 0000000000..d606a7b639 --- /dev/null +++ b/roles/osbs-master/templates/sysconfig-docker.j2 @@ -0,0 +1,36 @@ +# Modify these options if you want to change the way the docker daemon runs +OPTIONS='--selinux-enabled' + +DOCKER_CERT_PATH=/etc/docker + +# If you want to add your own registry to be used for docker search and docker pull use the +# ADD_REGISTRY option to list a set of comma separated registries. +# Note the last registry added will be the first regisry searched. +ADD_REGISTRY='' + +# If you want to block registries from being used, use the +# BLOCK_REGISTRY option to list a set of comma separated registries, and uncommenting +# it. For example adding docker.io will stop users from downloading images from docker.io +# BLOCK_REGISTRY='--block-registry public' + +# If you have a registry secured with https but do not have proper certs destributed, you can +# tell docker to not look for full authorization by adding the registry to the +# INSECURE_REGISTRY line and uncommentin it. +INSECURE_REGISTRY=' +{%- for r in osbs_docker_insecure_registries %} --insecure-registry {{ r }} +{%- endfor %}' + +# On an SELinux system, if you remove the --selinux-enabled option, you +# also need to turn on the docker_transition_unconfined boolean. +# setsebool -P docker_transition_unconfined 1 + +# Location used for temporary files, such as those created by +# docker load and build operations. Default is /var/lib/docker/tmp +# Can be overriden by setting the following environment variable. +# DOCKER_TMPDIR=/var/tmp + +# Controls the /etc/cron.daily/docker-logrotate cron job status. +# To disable, uncomment the line below. +# LOGROTATE=false + +GOTRACEBACK='crash' diff --git a/roles/osbs-master/vars/main.yml b/roles/osbs-master/vars/main.yml new file mode 100644 index 0000000000..ad57097f30 --- /dev/null +++ b/roles/osbs-master/vars/main.yml @@ -0,0 +1,9 @@ +--- +osbs_openshift_home: /var/lib/origin +osbs_openshift_port: 8443 +osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig + +osbs_environment: + KUBECONFIG: "{{ osbs_kubeconfig_path }}" + +osbs_export_http_conf: /etc/httpd/conf.d/osbs_image_export.conf