Setup OSBS orchestrated cluster in prod

Signed-off-by: Clement Verna <cverna@tutanota.com>
2018-07-04 08:58:01 +02:00 · 2018-07-04 08:58:01 +02:00 · d679998a0a
commit d679998a0a
parent f719a5b004
11 changed files with 197 additions and 291 deletions
--- a/files/osbs/buildroot-Dockerfile-production.j2
+++ b/files/osbs/buildroot-Dockerfile-production.j2
@ -1,8 +1,10 @@
-FROM registry.fedoraproject.org/fedora:27
+FROM registry.fedoraproject.org/fedora
 ADD ./infra-tags.repo /etc/yum.repos.d/infra-tags.repo
 RUN dnf -y install --refresh dnf-plugins-core && dnf -y install docker git python-setuptools e2fsprogs koji python-backports-lzma osbs-client\
    python-osbs-client gssproxy fedpkg python-docker-squash atomic-reactor python-atomic-reactor* go-md2man python2-productmd python3-productmd\
    libmodulemd python2-gobject python3-gobject python2-modulemd python3-modulemd python2-pdc-client python3-pdc-client ostree flatpak skopeo
+ADD ./orchestrator_customize.json /usr/share/osbs/orchestrator_customize.json
+ADD ./worker_customize.json /usr/share/osbs/worker_customize.json
 ADD ./krb5.conf /etc
 RUN printf '[libdefaults]\n default_ccache_name = DIR:/tmp/ccache_%%{uid}' >/etc/krb5.conf.d/ccache.conf
 ADD ./krb5.osbs_{{osbs_url}}.keytab /etc/
--- a/files/osbs/buildroot-Dockerfile-staging.j2
+++ b/files/osbs/buildroot-Dockerfile-staging.j2
@ -1,4 +1,4 @@
-FROM registry.fedoraproject.org/fedora:27
+FROM registry.fedoraproject.org/fedora
 ADD ./infra-tags.repo /etc/yum.repos.d/infra-tags.repo
 RUN dnf -y install --refresh dnf-plugins-core && dnf -y install docker git python-setuptools e2fsprogs koji python-backports-lzma osbs-client\
    python-osbs-client gssproxy fedpkg python-docker-squash atomic-reactor python-atomic-reactor* go-md2man python2-productmd python3-productmd\
--- a/inventory/group_vars/osbs-masters
+++ b/inventory/group_vars/osbs-masters
@ -23,8 +23,139 @@ osbs_client_conf_path: /etc/osbs.conf
 openshift_node_labels: {'region':'infra'}
 openshift_schedulable: False

+osbs_namespace: "osbs-fedora"
+osbs_worker_namespace: worker
+
+osbs_worker_service_accounts:
+  - orchestrator
+  - builder
+
+
+osbs_conf_sources_command: fedpkg sources
+osbs_conf_vendor: Fedora Project
+
+osbs_orchestrator_cpu_limitrange: "95m"
+
+osbs_worker_default_nodeselector: "worker=true"
+osbs_orchestrator_default_nodeselector: "orchestrator=true"
+
+osbs_conf_service_accounts:
+  - koji
+  - builder
+
+osbs_conf_readwrite_users:
+  - "system:serviceaccount:{{ osbs_namespace }}:default"
+  - "system:serviceaccount:{{ osbs_namespace }}:builder"
+
+osbs_conf_worker_clusters:
+  x86_64:
+  - name: x86_64
+    max_concurrent_builds: 2
+    openshift_url: "https://osbs.fedoraproject.org/"
+    verify_ssl: 'false'
+
+
+osbs_platform_descriptors:
+- platform: x86_64
+  architecture: amd64
+  enable_v1: True
+
+_osbs_reactor_config_map:
+    version: 1
+
+    clusters:
+      x86_64:
+      - name: "x86_64"
+        max_concurrent_builds: 2
+
+    clusters_client_config_dir: "/var/run/secrets/atomic-reactor/client-config-secret"
+
+    koji:
+      hub_url: "https://koji{{ env_suffix }}.fedoraproject.org/kojihub"
+      root_url: "https://koji{{ env_suffix }}.fedoraproject.org/"
+      auth:
+        krb_principal: "osbs/{{osbs_url}}@{{ ipa_realm }}"
+        krb_keytab_path: "FILE:/etc/krb5.osbs_{{ osbs_url }}.keytab"
+
+    odcs:
+        api_url: "https://odcs{{ env_suffix }}.fedoraproject.org/api/1"
+        auth:
+          openidc_dir: "/var/run/secrets/atomic-reactor/odcs-oidc-secret"
+        signing_intents:
+          - name: unsigned
+            keys: []
+        default_signing_intent: "unsigned"
+
+    pdc:
+        api_url: "https://pdc{{ env_suffix }}.fedoraproject.org/rest_api/v1/"
+
+    image_labels:
+      vendor: "{{ osbs_conf_vendor }}"
+      authoritative-source-url: "{{ source_registry }}"
+      distribution-scope: public
+
+    image_equal_labels:
+      - ['description', 'io.k8s.description']
+    openshift:
+      url: "https://{{ osbs_url }}"
+      insecure: true
+      build_json_dir: /usr/share/osbs
+      auth:
+        enable: True
+
+    platform_descriptors: "{{ osbs_platform_descriptors }}"
+
+    prefer_schema1_digest: False
+
+    content_versions:
+    - v1
+    - v2
+
+    registries:
+    - url: "{{ docker_registry }}"
+      insecure: True
+      auth:
+        cfg_path: /var/run/secrets/atomic-reactor/v2-registry-dockercfg
+
+    source_registry:
+      url: "{{ source_registry }}"
+      insecure: True
+
+    group_manifests: True
+
+    sources_command: "{{ osbs_conf_sources_command }}"
+
+    artifacts_allowed_domains: []
+    #- download.devel.redhat.com/released
+    #- download.devel.redhat.com/devel/candidates
+
+    required_secrets:
+    - kojisecret
+    - v2-registry-dockercfg
+    - odcs-oidc-secret
+
+    worker_token_secrets:
+    - x86-64-orchestrator
+    - client-config-secret
+
+_osbs_scratch_reactor_config_map_overrides:
+  image_labels:
+    distribution-scope: private
+
+osbs_reactor_config_maps:
+- name: reactor-config-map
+  data: "{{ _osbs_reactor_config_map }}"
+- name: reactor-config-map-scratch
+  data: >
+    {{ _osbs_reactor_config_map |
+       combine(_osbs_scratch_reactor_config_map_overrides, recursive=True) }}
+
+osbs_odcs_enabled: true
+
+#Docker command delegated host
 composer: compose-x86-01.phx2.fedoraproject.org

+# Nagios configuration
 nagios_Check_Services:
  nrpe: true
  sshd: true
--- a/inventory/group_vars/osbs-masters-stg
+++ b/inventory/group_vars/osbs-masters-stg
@ -45,7 +45,7 @@ osbs_conf_readwrite_users:

 osbs_conf_worker_clusters:
  x86_64:
-  - name: x86_64-stg
+  - name: x86_64
    max_concurrent_builds: 2
    openshift_url: "https://osbs.stg.fedoraproject.org/"
    verify_ssl: 'false'
@ -61,14 +61,14 @@ _osbs_reactor_config_map:

    clusters:
      x86_64:
-      - name: "x86_64-stg"
+      - name: "x86_64"
        max_concurrent_builds: 2

    clusters_client_config_dir: "/var/run/secrets/atomic-reactor/client-config-secret"

    koji:
-      hub_url: "https://koji.stg.fedoraproject.org/kojihub"
-      root_url: "https://koji.stg.fedoraproject.org/"
+      hub_url: "https://koji{{ env_suffix }}.fedoraproject.org/kojihub"
+      root_url: "https://koji{{ env_suffix }}.fedoraproject.org/"
      auth:
        krb_principal: "osbs/{{osbs_url}}@{{ ipa_realm }}"
        krb_keytab_path: "FILE:/etc/krb5.osbs_{{ osbs_url }}.keytab"
@ -83,7 +83,7 @@ _osbs_reactor_config_map:
        default_signing_intent: "unsigned"

    pdc:
-        api_url: "https://pdc.stg.fedoraproject.org/rest_api/v1/"
+        api_url: "https://pdc{{ env_suffix }}.fedoraproject.org/rest_api/v1/"

    image_labels:
      vendor: "{{ osbs_conf_vendor }}"
@ -131,7 +131,7 @@ _osbs_reactor_config_map:
    - odcs-oidc-secret

    worker_token_secrets:
-    - x86-64-stg-orchestrator
+    - x86-64-orchestrator
    - client-config-secret

 _osbs_scratch_reactor_config_map_overrides:
--- a/inventory/host_vars/osbs-master01.phx2.fedoraproject.org
+++ b/inventory/host_vars/osbs-master01.phx2.fedoraproject.org
@ -2,8 +2,8 @@
 nm: 255.255.255.0
 gw: 10.5.125.254
 dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26-osbs
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28-osbs
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
 volgroup: /dev/vg_guests
 eth0_ip: 10.5.125.55
 vmhost: bvirthost01.phx2.fedoraproject.org
--- a/inventory/host_vars/osbs-node01.phx2.fedoraproject.org
+++ b/inventory/host_vars/osbs-node01.phx2.fedoraproject.org
@ -2,8 +2,8 @@
 nm: 255.255.255.0
 gw: 10.5.125.254
 dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26-osbs
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28-osbs
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
 volgroup: /dev/vg_guests
 eth0_ip: 10.5.125.53
 vmhost: bvirthost01.phx2.fedoraproject.org
--- a/inventory/host_vars/osbs-node02.phx2.fedoraproject.org
+++ b/inventory/host_vars/osbs-node02.phx2.fedoraproject.org
@ -2,8 +2,8 @@
 nm: 255.255.255.0
 gw: 10.5.125.254
 dns: 10.5.126.21
-ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-26-osbs
-ks_repo: http://10.5.126.23/pub/fedora/linux/releases/26/Server/x86_64/os/
+ks_url: http://10.5.126.23/repo/rhel/ks/kvm-fedora-28-osbs
+ks_repo: http://10.5.126.23/pub/fedora/linux/releases/28/Server/x86_64/os/
 volgroup: /dev/vg_guests
 eth0_ip: 10.5.125.54
 vmhost: bvirthost01.phx2.fedoraproject.org
--- a/playbooks/groups/buildvm.yml
+++ b/playbooks/groups/buildvm.yml
@ -111,8 +111,8 @@
          client_config_secret: 'client-config-secret',
          reactor_config_secret: 'reactor-config-secret',
          registry_secret_name: 'v2-registry-dockercfg',
-          token_secrets: 'x86-64-osbs:/var/run/secrets/atomic-reactor/x86-64-stg-orchestrator',
-          token_file: '/etc/osbs/x86-64-osbs-stg-koji',
+          token_secrets: 'x86-64-osbs:/var/run/secrets/atomic-reactor/x86-64-orchestrator',
+          token_file: '/etc/osbs/x86-64-osbs-koji',
          namespace: 'osbs-fedora',
          can_orchestrate: true,
          builder_odcs_url: "https://odcs{{ env_suffix }}.fedoraproject.org",
@ -129,7 +129,7 @@
        when: env == 'production' and ansible_architecture == 'x86_64',
        general: {
          verbose: 0,
-          build_json_dir: '/etc/osbs/input/',
+          build_json_dir: '/usr/share/osbs/',
          openshift_required_version: 1.1.0,
        },
        default: {
@ -154,7 +154,18 @@
          distribution_scope: 'private',
          registry_api_versions: 'v2',
          builder_openshift_url: 'https://{{osbs_url}}',
-          registry_secret_name: 'v2-registry-dockercfg'
+          registry_secret_name: 'v2-registry-dockercfg',
+          token_secrets: 'x86-64-osbs:/var/run/secrets/atomic-reactor/x86-64-orchestrator',
+          token_file: '/etc/osbs/x86-64-osbs-koji',
+          namespace: 'osbs-fedora',
+          can_orchestrate: true,
+          builder_odcs_url: "https://odcs{{ env_suffix }}.fedoraproject.org",
+          builder_odcs_openidc_secret: "odcs-oidc-secret",
+          builder_pdc_url: "https://pdc.fedoraproject.org/api/1",
+          flatpak_base_image: "registry.fedoraproject.org/fedora:latest",
+          reactor_config_map: "reactor-config-map",
+          reactor_config_map_scratch: "reactor-config-map-scratch",
+          build_from: "image:buildroot:latest"
        }
    }
  handlers:
--- a/playbooks/groups/osbs-cluster.yml
+++ b/playbooks/groups/osbs-cluster.yml
@ -234,10 +234,11 @@
        cluster_inventory_filename: "cluster-inventory",
        openshift_htpasswd_file: "/etc/origin/htpasswd",
        openshift_master_public_api_url: "https://{{ osbs_url }}:8443",
-        openshift_release: "v3.6.0",
+        openshift_release: "v3.9.0",
        openshift_ansible_path: "/root/openshift-ansible",
-        openshift_ansible_playbook: "playbooks/byo/config.yml",
-        openshift_ansible_version: "release-3.6-fedora-compat",
+        openshift_ansible_pre_playbook: "playbooks/prerequisites.yml",
+        openshift_ansible_playbook: "playbooks/deploy_cluster.yml",
+        openshift_ansible_version: "openshift-ansible-3.9.30-1",
        openshift_ansible_ssh_user: root,
        openshift_ansible_install_examples: false,
        openshift_ansible_containerized_deploy: false,
@ -319,86 +320,8 @@
        src: "{{files}}/osbs/fedora-dnsmasq.conf.{{env}}"
        dest: "/etc/dnsmasq.d/fedora-dns.conf"

- name: Setup requirements for OpenShift master
-  hosts: osbs-masters-stg:osbs-masters
-  tags:
-    - osbs-master-req
-  user: root
-  gather_facts: True
-
-  vars_files:
-    - /srv/web/infra/ansible/vars/global.yml
-    - "/srv/private/ansible/vars.yml"
-    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
-
-  tasks:
-    - name: set policy for koji builder in openshift for osbs
-      command: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_prod_username }} && touch /etc/origin/koji-builder-policy-added"
-      args:
-        creates: "/etc/origin/koji-builder-policy-added"
-      when: env == "production"
-
-    - name: set policy for koji builder in openshift for atomic-reactor
-      command: "oadm policy add-role-to-user -n default edit system:serviceaccount:default:builder && touch /etc/origin/atomic-reactor-policy-added"
-      args:
-        creates: "/etc/origin/atomic-reactor-policy-added"
-      when: env == "production"
-
- name: Deploy OSBS on top of OpenShift
-  hosts: osbs-masters-stg[0]:osbs-masters[0]
-  tags:
-    - osbs-deploy-on-openshift
-  user: root
-  gather_facts: True
-
-  vars_files:
-    - /srv/web/infra/ansible/vars/global.yml
-    - "/srv/private/ansible/vars.yml"
-    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
-
-  vars:
-    osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
-    osbs_environment:
-      KUBECONFIG: "{{ osbs_kubeconfig_path }}"
-
-  roles:
-    - {
-      role: osbs-on-openshift,
-        osbs_openshift_home: "/var/lib/origin",
-        osbs_namespace: "default",
-        osbs_namespace_create: "false",
-        osbs_kubeconf_path: "/etc/origin/master/admin.kubeconfig",
-        osbs_environment: [
-          KUBECONFIG: "{{ osbs_kubeconfig_path }}"
-          ],
-        osbs_service_accounts: [],
-        osbs_readonly_users: [],
-        osbs_readonly_groups: [],
-        osbs_readwrite_users: ["{{ osbs_koji_prod_username }}"],
-        osbs_readwrite_groups: [ "system:authenticated"],
-        osbs_admin_users: [],
-        osbs_admin_groups: [],
-        osbs_docker_registry: false,
-        osbs_docker_registry_storage: "/opt/openshift-registry",
-      when: env == "production"
-    }
-
-  tasks:
-    - name: set custom build policy for koji builder in openshift for osbs
-      command: "oc adm policy add-role-to-user -n default osbs-custom-build {{ osbs_koji_prod_username }} --role-namespace=default && touch /etc/origin/koji-custom-build-policy-added"
-      args:
-        creates: "/etc/origin/koji-builder-policy-added"
-      when: env == "production"
-      environment: "{{ osbs_environment }}"
-    - name: set custom build policy for builder service account in openshift for osbs
-      command: "oc adm policy add-role-to-user -n default osbs-custom-build system:serviceaccount:default:builder --role-namespace=default && touch /etc/origin/koji-builder-policy-added"
-      args:
-        creates: "/etc/origin/koji-builder-policy-added"
-      when: env == "production"
-      environment: "{{ osbs_environment }}"
-
 - name: Create worker namespace
-  hosts: osbs-masters-stg[0]
+  hosts: osbs-masters-stg[0]:osbs-masters[0]
  tags:
    - osbs-worker-namespace
  user: root
@ -420,10 +343,10 @@
      osbs_authoritative_registry: "{{ source_registry }}"
      osbs_sources_command: "{{ osbs_conf_sources_command }}"
      osbs_vendor: "{{ osbs_conf_vendor }}"
-      when: env == "staging"
+

 - name: setup koji secret in worker namespace
-  hosts: osbs-masters-stg[0]
+  hosts: osbs-masters-stg[0]:osbs-masters[0]
  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - "/srv/private/ansible/vars.yml"
@ -437,10 +360,9 @@
    osbs_secret_files:
    - source: "{{ private }}/files/koji/containerbuild.pem"
      dest: cert
-    when: env == "staging"

 - name: setup ODCS secret in worker namespace
-  hosts: osbs-masters-stg[0]
+  hosts: osbs-masters-stg[0]:osbs-masters[0]
  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - "/srv/private/ansible/vars.yml"
@ -450,14 +372,13 @@
    osbs_namespace: "{{ osbs_worker_namespace }}"
    osbs_secret_name: odcs-oidc-secret
    osbs_secret_files:
-    - source: "{{ private }}/files/osbs/staging/odcs-oidc-token"
+    - source: "{{ private }}/files/osbs/{{ env }}/odcs-oidc-token"
      dest: token
-    when: env == "staging"
  tags:
    - osbs-worker-namespace

 - name: Create orchestrator namespace
-  hosts: osbs-masters-stg[0]
+  hosts: osbs-masters-stg[0]:osbs-masters[0]
  roles:
  - role: osbs-namespace
    osbs_orchestrator: true
@ -474,38 +395,48 @@
    koji_use_kerberos: true
    koji_kerberos_keytab: "FILE:/etc/krb5.osbs_{{ osbs_url }}.keytab"
    koji_kerberos_principal: "osbs/{{osbs_url}}@{{ ipa_realm }}"
-    when: env == "staging"
  tags:
    - osbs-orchestrator-namespace


 - name: Add the worker/orchestrator labels to the nodes
-  hosts: osbs-masters-stg[0]
+  hosts: osbs-masters-stg[0]:osbs-masters[0]
  tags:
    - osbs-labels-nodes
  tasks:
    - name: Add the worker label
      command: "oc -n {{ osbs_worker_namespace }} label nodes {{ item }} worker=true --overwrite"
      loop: "{{ groups['osbs-nodes-stg'] }}"
+      when: env == "staging"

    - name: Add the orchestrator labels to the nodes
      command: "oc -n {{ osbs_namespace }} label nodes {{ item }} orchestrator=true --overwrite"
      loop: "{{ groups['osbs-nodes-stg'] }}"
+      when: env == "staging"
+
+    - name: Add the worker label
+      command: "oc -n {{ osbs_worker_namespace }} label nodes {{ item }} worker=true --overwrite"
+      loop: "{{ groups['osbs-nodes'] }}"
+      when: env == "production"
+
+    - name: Add the orchestrator labels to the nodes
+      command: "oc -n {{ osbs_namespace }} label nodes {{ item }} orchestrator=true --overwrite"
+      loop: "{{ groups['osbs-nodes'] }}"
+      when: env == "production"

 - name: setup reactor config secret in orchestrator namespace
-  hosts: osbs-masters-stg[0]
+  hosts: osbs-masters-stg[0]:osbs-masters[0]
  roles:
  - role: osbs-secret
    osbs_secret_name: reactor-config-secret
    osbs_secret_files:
    - source: "/tmp/{{ osbs_namespace }}-reactor-config-secret.yml"
      dest: config.yaml
-    when: env == "staging"
  tags:
    - osbs-orchestrator-namespace

 - name: setup ODCS secret in orchestrator namespace
-  hosts: osbs-masters-stg[0]
+  hosts: osbs-masters-stg[0]:osbs-masters[0]
  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - "/srv/private/ansible/vars.yml"
@ -514,26 +445,24 @@
  - role: osbs-secret
    osbs_secret_name: odcs-oidc-secret
    osbs_secret_files:
-    - source: "{{ private }}/files/osbs/staging/odcs-oidc-token"
+    - source: "{{ private }}/files/osbs/{{ env }}/odcs-oidc-token"
      dest: token
-    when: env == "staging"
  tags:
    - osbs-orchestrator-namespace

 - name: setup client config secret in orchestrator namespace
-  hosts: osbs-masters-stg[0]
+  hosts: osbs-masters-stg[0]:osbs-masters[0]
  roles:
  - role: osbs-secret
    osbs_secret_name: client-config-secret
    osbs_secret_files:
    - source: "/tmp/{{ osbs_namespace }}-client-config-secret.conf"
      dest: osbs.conf
-    when: env == "staging"
  tags:
    - osbs-orchestrator-namespace

 - name: setup koji secret in orchestrator namespace
-  hosts: osbs-masters-stg[0]
+  hosts: osbs-masters-stg[0]:osbs-masters[0]
  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - "/srv/private/ansible/vars.yml"
@ -544,23 +473,21 @@
    osbs_secret_files:
    - source: "{{ private }}/files/koji/containerbuild.pem"
      dest: cert
-    when: env == "staging"
  tags:
    - osbs-orchestrator-namespace

 - name: setup orchestrator token for x86_64-osbs
-  hosts: osbs-masters-stg[0]
+  hosts: osbs-masters-stg[0]:osbs-masters[0]
  vars_files:
    - /srv/web/infra/ansible/vars/global.yml
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
  roles:
  - role: osbs-secret
-    osbs_secret_name: x86-64-stg-orchestrator
+    osbs_secret_name: x86-64-orchestrator
    osbs_secret_files:
-    - source: "{{ private }}/files/osbs/staging/x86-64-osbs-stg-orchestrator"
+    - source: "{{ private }}/files/osbs/{{ env }}/x86-64-osbs-orchestrator"
      dest: token
-    when: env == "staging"
  tags:
    - osbs-orchestrator-namespace

@ -633,7 +560,6 @@
      osbs_secret_files:
      - source: "/tmp/.dockercfg"
        dest: .dockercfg
-      when: env == "staging"

  post_tasks:
    - name: Delete the temporary secret file
@ -642,80 +568,6 @@
        state=absent
        path="/tmp/.dockercfg"

- name: Manage docker images and image stream
-  hosts: osbs-masters[0]
-  tags:
-    - osbs-post-install
-    - manage-docker-images
-  vars_files:
-    - /srv/web/infra/ansible/vars/global.yml
-    - /srv/private/ansible/vars.yml
-    - /srv/private/ansible/files/openstack/passwords.yml
-    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
-  vars:
-    osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
-    osbs_environment:
-      KUBECONFIG: "{{ osbs_kubeconfig_path }}"
-    koji_pki_dir: /etc/pki/koji
-    koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert"
-    koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem"
-    koji_builder_user: dockerbuilder
-    osbs_builder_user: builder
-
-  tasks:
-    - name: pull fedora required docker images
-      command: "docker pull {{item}}"
-      with_items: "{{fedora_required_images}}"
-      delegate_to: "{{ composer }}"
-      register: docker_pull_fedora_delegated
-      changed_when: "'Downloaded newer image' in docker_pull_fedora_delegated.stdout"
-
-    - name: tag fedora required docker images for our registry
-      command: "docker tag {{item}} {{docker_registry}}/{{item}}"
-      with_items: "{{fedora_required_images}}"
-      delegate_to: "{{ composer }}"
-      when: docker_pull_fedora_delegated is changed
-
-    - name: push fedora required docker images to our registry
-      command: "docker push {{docker_registry}}/{{item}}"
-      with_items: "{{fedora_required_images}}"
-      delegate_to: "{{ composer }}"
-      when: docker_pull_fedora_delegated is changed
-
-    - name: register origin_version_out rpm query
-      command: "rpm -q origin --qf '%{Version}'"
-      register: origin_version_out
-      check_mode: no
-      changed_when: False
-
-    - set_fact:
-        origin_version: "{{origin_version_out.stdout}}"
-
-    - name: pull openshift required docker images
-      command: "docker pull {{item}}:v{{origin_version}}"
-      with_items: "{{openshift_required_images}}"
-      delegate_to: "{{ composer }}"
-      register: docker_pull_openshift_delegated
-      changed_when: "'Downloaded newer image' in docker_pull_openshift_delegated.stdout"
-
-    - name: tag openshift required docker images for our registry
-      command: "docker tag {{item}}:v{{origin_version}} {{docker_registry}}/{{item}}:v{{origin_version}}"
-      with_items: "{{openshift_required_images}}"
-      delegate_to: "{{ composer }}"
-      when: docker_pull_openshift_delegated is changed
-
-    - name: push openshift required docker images to our registry
-      command: "docker push {{docker_registry}}/{{item}}:v{{origin_version}}"
-      with_items: "{{openshift_required_images}}"
-      delegate_to: "{{ composer }}"
-      when: docker_pull_openshift_delegated is changed
-
-    - name: create fedora image stream for OpenShift
-      command: "echo '{ \"apiVersion\": \"v1\", \"kind\": \"ImageStream\", \"metadata\": { \"name\": \"fedora\" }, \"spec\": { \"dockerImageRepository\": \"{{docker_registry}}/fedora\" } }' | oc create -f - && touch /etc/origin/fedoraimagestreamcreated"
-      environment: "{{ osbs_environment }}"
-      args:
-        creates: /etc/origin/fedoraimagestreamcreated
-
 - name: post-install master host osbs tasks
  hosts: osbs-masters-stg:osbs-masters
  tags:
@ -786,7 +638,7 @@


 - name: post-install osbs tasks
-  hosts: osbs-nodes-stg:osbs-masters:osbs-nodes
+  hosts: osbs-nodes-stg:osbs-nodes
  tags:
    - osbs-post-install
  vars_files:
@ -823,40 +675,6 @@
        state: restarted
        daemon_reload: yes

-  roles:
-    - {
-      role: osbs-client,
-        general: {
-          verbose: 0,
-          build_json_dir: '/etc/osbs/input/',
-          openshift_required_version: 1.1.0,
-        },
-        default: {
-          username: "{{ osbs_koji_prod_username }}",
-          password: "{{ osbs_koji_prod_password }}",
-          koji_use_kerberos: True,
-          koji_kerberos_keytab: "FILE:/etc/krb5.osbs_{{osbs_url}}.keytab",
-          koji_kerberos_principal: "osbs/{{osbs_url}}@{{ipa_realm}}",
-          openshift_url: 'https://{{osbs_url}}/',
-          registry_uri: 'https://{{docker_registry}}/v2',
-          source_registry_uri: 'https://{{source_registry}}/v2',
-          build_host: '{{osbs_url}}',
-          koji_root: 'https://{{koji_url}}/koji',
-          koji_hub: 'https://{{koji_url}}/kojihub',
-          sources_command: 'fedpkg sources',
-          build_type: 'prod',
-          authoritative_registry: 'registry.fedoraproject.org',
-          vendor: 'Fedora Project',
-          verify_ssl: true,
-          use_auth: true,
-          builder_use_auth: true,
-          distribution_scope: 'private',
-          registry_api_versions: 'v2',
-          builder_openshift_url: 'https://{{osbs_url}}'
-        },
-      when: env == "production"
-      }
-
  tasks:
    - name: enable nrpe for monitoring (noc01)
      iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT
@ -990,26 +808,6 @@
      check_mode: no
      changed_when: False

-    - set_fact:
-        origin_version: "{{origin_version_out.stdout}}"
-
-    - name: pull openshift required docker images
-      command: "docker pull {{docker_registry}}/{{item}}:v{{origin_version}}"
-      with_items: "{{openshift_required_images}}"
-      register: docker_pull_openshift
-      changed_when: "'Downloaded newer image' in docker_pull_openshift.stdout"
-      when: env == "production"
-
-    - name: tag openshift required docker images locally
-      command: "docker tag {{docker_registry}}/{{item}}:v{{origin_version}} {{item}}:v{{origin_version}}"
-      with_items: "{{openshift_required_images}}"
-      when:
-        - docker_pull_openshift is changed
-        - env == "production"
-
-    - set_fact:
-        docker_pull_openshift: "{{ docker_pull_openshift }}"
-

 - name: Post-Install image stream refresh
  hosts: osbs-masters[0]:osbs-masters-stg[0]
@ -1022,10 +820,6 @@
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  tasks:
-    - name: refresh fedora image streams
-      command: "oc import-image fedora --all"
-      when: env == "production" and hostvars[groups["osbs-masters"][0]]["docker_pull_fedora"] is changed
-
    - name: enable nrpe for monitoring (noc01)
      iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT

--- a/roles/osbs-client/tasks/main.yml
+++ b/roles/osbs-client/tasks/main.yml
@ -9,35 +9,4 @@
 - name: apply osbs-client templated config
  template: src=osbs.conf.j2 dest={{ osbs_client_conf_path }} mode=0640
  tags:
-  - osbs-client
-
- name: Create custom OSBS input directory
-  file:
-    path: "/etc/osbs/input/"
-    state: directory
-  tags:
-  - osbs-client
-  when: env == 'production'
-
-# This overrides defaults which are set in
-# https://github.com/projectatomic/osbs-client/blob/master/inputs/prod_inner.json
- name: Upload OSBS Site Customizations plugin conf
-  copy:
-    src: "osbs-site-customize.json"
-    dest: "/etc/osbs/input/prod_customize.json"
-    mode: 0400
-  tags:
-  - osbs-client
-  when: env == 'production'
-
- name: Symlink in OSBS input configs provided by package
-  file:
-    src: "/usr/share/osbs/{{item}}.json"
-    dest: "/etc/osbs/input/{{item}}.json"
-    state: link
-  with_items:
-    - "prod"
-    - "prod_inner"
-  tags:
-  - osbs-client
-  when: env == 'production'
+  - osbs-client
--- a/tasks/osbs_koji_token.yml
+++ b/tasks/osbs_koji_token.yml
@ -5,8 +5,7 @@

 - name: put the koji token file in place
  copy:
-    src: "{{ private }}/files/osbs/{{ env }}/x86-64-osbs-stg-koji"
-    dest: "/etc/osbs/x86-64-osbs-stg-koji"
+    src: "{{ private }}/files/osbs/{{ env }}/x86-64-osbs-koji"
+    dest: "/etc/osbs/x86-64-osbs-koji"
    owner: root
    mode: 0400
-  when: env == "staging"