Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions
ansible/playbooks/groups/osbs-cluster.yml
Clement Verna 22d53e218c OSBS: Use the env variable to make the reactor-config and client config name unique per env. 
Signed-off-by: Clement Verna <cverna@tutanota.com>
2020-04-24 21:34:16 +02:00

838 lines
28 KiB
YAML
Raw Blame History

# create an osbs server
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs_control"
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs_control_stg"
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs_nodes:osbs_masters"
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs_nodes_stg:osbs_masters_stg"
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs_aarch64_masters_stg"
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs_aarch64_masters"
- name: make the box be real
hosts: osbs_control:osbs_masters:osbs_nodes:osbs_control_stg:osbs_masters_stg:osbs_nodes_stg:osbs_aarch64_masters_stg:osbs_aarch64_masters
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
pre_tasks:
- import_tasks: "{{ tasks_path }}/yumrepos.yml"
roles:
- base
- rkhunter
- nagios_client
- hosts
- fas_client
- sudo
- collectd/base
- rsyncd
tasks:
- name: put openshift repo on os- systems
template: src="{{ files }}/openshift/openshift.repo" dest="/etc/yum.repos.d/openshift.repo"
tags:
- config
- packages
- yumrepos
- name: install redhat ca file
package:
name: subscription-manager-rhsm-certificates
state: present
- import_tasks: "{{ tasks_path }}/2fa_client.yml"
- import_tasks: "{{ tasks_path }}/motd.yml"
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"
- name: OSBS control hosts pre-req setup
hosts: osbs_control:osbs_control_stg
tags:
- osbs-cluster-prereq
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- name: deploy private key to control hosts
copy:
src: "{{private}}/files/osbs/{{env}}/control_key"
dest: "/root/.ssh/id_rsa"
owner: root
mode: 0600
- name: set ansible to use pipelining
ini_file:
dest: /etc/ansible/ansible.cfg
section: ssh_connection
option: pipelining
value: "True"
- name: Setup cluster masters pre-reqs
hosts: osbs_masters_stg:osbs_masters:osbs_aarch64_masters_stg:osbs_aarch64_masters
tags:
- osbs-cluster-prereq
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- name: ensure origin conf dir exists
file:
path: "/etc/origin"
state: "directory"
- name: create cert dir for openshift public facing REST API SSL
file:
path: "/etc/origin/master/named_certificates"
state: "directory"
- name: install cert for openshift public facing REST API SSL
copy:
src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem"
dest: "/etc/origin/master/named_certificates/{{osbs_url}}.pem"
- name: install key for openshift public facing REST API SSL
copy:
src: "{{private}}/files/osbs/{{env}}/osbs-internal.key"
dest: "/etc/origin/master/named_certificates/{{osbs_url}}.key"
- name: place htpasswd file
copy:
src: "{{private}}/files/httpd/osbs-{{env}}.htpasswd"
dest: /etc/origin/master/htpasswd
- name: Setup cluster hosts pre-reqs
hosts: osbs_masters_stg:osbs_nodes_stg:osbs_masters:osbs_nodes:osbs_aarch64_masters_stg:osbs_aarch64_masters
tags:
- osbs-cluster-prereq
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
handlers:
- name: restart NetworkManager
service:
name: NetworkManager
state: restarted
tasks:
- name: Install necessary packages that openshift-ansible needs
package:
state: installed
name:
- tar
- rsync
- dbus-python
- NetworkManager
- libselinux-python
- python2-pyyaml
when: env == "staging"
- name: Install necessary packages that openshift-ansible needs
package:
state: installed
name:
- tar
- rsync
- dbus-python
- NetworkManager
- libselinux-python
- python3-PyYAML
when: env == "production"
- name: Deploy controller public ssh keys to osbs cluster hosts
authorized_key:
user: root
key: "{{ lookup('file', '{{private}}/files/osbs/{{env}}/control_key.pub') }}"
# This is required for OpenShift built-in SkyDNS inside the overlay network
# of the cluster
- name: ensure NM_CONTROLLED is set to "yes" for osbs cluster
lineinfile:
dest: "/etc/sysconfig/network-scripts/ifcfg-eth0"
line: "NM_CONTROLLED=yes"
notify:
- restart NetworkManager
# This is required for OpenShift built-in SkyDNS inside the overlay network
# of the cluster
- name: ensure NetworkManager is enabled and started
service:
name: NetworkManager
state: started
enabled: yes
- name: cron entry to clean up docker storage
copy:
src: "{{files}}/osbs/cleanup-docker-storage"
dest: "/etc/cron.d/cleanup-docker-storage"
- name: copy docker-storage-setup config
copy:
src: "{{files}}/osbs/docker-storage-setup"
dest: "/etc/sysconfig/docker-storage-setup"
- name: Deploy kerberose keytab to cluster hosts
hosts: osbs_masters_stg:osbs_nodes_stg:osbs_masters:osbs_nodes:osbs_aarch64_masters_stg:osbs_aarch64_masters
tags:
- osbs-cluster-prereq
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- role: keytab/service
owner_user: root
owner_group: root
service: osbs
host: "osbs.fedoraproject.org"
when: env == "production"
- role: keytab/service
owner_user: root
owner_group: root
service: osbs
host: "osbs.stg.fedoraproject.org"
when: env == "staging"
- name: Deploy OpenShift Cluster x86_64
hosts: osbs_control:osbs_control_stg
tags:
- osbs-deploy-openshift
- osbs-x86-deploy-openshift
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- role: ansible-ansible-openshift-ansible
cluster_inventory_filename: "{{ inventory_filename }}"
openshift_master_public_api_url: "https://{{ osbs_url }}:8443"
openshift_release: "v3.11"
openshift_ansible_path: "/root/openshift-ansible"
openshift_ansible_pre_playbook: "playbooks/prerequisites.yml"
openshift_ansible_playbook: "playbooks/deploy_cluster.yml"
openshift_ansible_version: "openshift-ansible-3.11.51-1"
openshift_ansible_ssh_user: root
openshift_ansible_install_examples: false
openshift_ansible_containerized_deploy: true
openshift_cluster_masters_group: "{{ cluster_masters_group }}"
openshift_cluster_nodes_group: "{{ cluster_nodes_group }}"
openshift_cluster_infra_group: "{{ cluster_infra_group }}"
openshift_auth_profile: "osbs"
openshift_cluster_url: "https://{{osbs_url}}"
openshift_master_ha: false
openshift_debug_level: 2
openshift_shared_infra: true
openshift_deployment_type: "origin"
openshift_ansible_python_interpreter: "/usr/bin/python3"
openshift_ansible_use_crio: false
openshift_ansible_crio_only: false
tags: ['openshift-cluster-x86','ansible-ansible-openshift-ansible']
when: env != "staging"
- role: ansible-ansible-openshift-ansible
cluster_inventory_filename: "{{ inventory_filename }}"
openshift_master_public_api_url: "https://{{ osbs_url }}:8443"
openshift_release: "v3.11"
openshift_ansible_path: "/root/openshift-ansible"
openshift_ansible_pre_playbook: "playbooks/prerequisites.yml"
openshift_ansible_playbook: "playbooks/deploy_cluster.yml"
openshift_ansible_version: "openshift-ansible-3.11.51-1"
openshift_ansible_ssh_user: root
openshift_ansible_install_examples: false
openshift_ansible_containerized_deploy: false
openshift_cluster_masters_group: "{{ cluster_masters_group }}"
openshift_cluster_nodes_group: "{{ cluster_nodes_group }}"
openshift_cluster_infra_group: "{{ cluster_infra_group }}"
openshift_auth_profile: "osbs"
openshift_cluster_url: "https://{{osbs_url}}"
openshift_master_ha: false
openshift_debug_level: 2
openshift_shared_infra: true
openshift_deployment_type: "openshift-enterprise"
openshift_ansible_use_crio: false
openshift_ansible_crio_only: false
tags: ['openshift-cluster-x86','ansible-ansible-openshift-ansible']
when: env == "staging"
- name: Deploy OpenShift Cluster aarch64
hosts: osbs_control:osbs_control_stg
tags:
- osbs-deploy-openshift
- osbs-aarch-deploy-openshift
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- role: ansible-ansible-openshift-ansible
cluster_inventory_filename: "{{ inventory_filename }}"
openshift_htpasswd_file: "/etc/origin/htpasswd"
openshift_master_public_api_url: "https://{{ osbs_url }}:8443"
openshift_release: "v3.9.0"
openshift_ansible_path: "/root/openshift-ansible"
openshift_ansible_pre_playbook: "playbooks/prerequisites.yml"
openshift_ansible_playbook: "playbooks/deploy_cluster.yml"
openshift_ansible_version: "osbs-aarch64-fedora"
openshift_ansible_ssh_user: root
openshift_ansible_install_examples: false
openshift_ansible_containerized_deploy: false
openshift_cluster_masters_group: "{{ aarch_masters_group }}"
openshift_cluster_nodes_group: "{{ aarch_nodes_group }}"
openshift_cluster_infra_group: "{{ aarch_infra_group }}"
openshift_auth_profile: "osbs"
openshift_cluster_url: "https://{{osbs_url}}"
openshift_master_ha: false
openshift_debug_level: 2
openshift_shared_infra: true
openshift_deployment_type: "origin"
openshift_ansible_python_interpreter: "/usr/bin/python3"
openshift_ansible_use_crio: false
openshift_ansible_crio_only: false
tags: ['openshift-cluster-aarch','ansible-ansible-openshift-ansible']
- name: Setup OSBS requirements for OpenShift cluster hosts
hosts: osbs_masters_stg:osbs_nodes_stg:osbs_masters:osbs_nodes
tags:
- osbs-cluster-req
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- name: Ensures /etc/dnsmasq.d/ dir exists
file: path="/etc/dnsmasq.d/" state=directory
- name: install fedora dnsmasq specific config
copy:
src: "{{files}}/osbs/fedora-dnsmasq.conf.{{env}}"
dest: "/etc/dnsmasq.d/fedora-dns.conf"
- name: Create worker namespace
hosts: osbs_masters_stg[0]:osbs_masters[0]:osbs_aarch64_masters_stg[0]:osbs_aarch64_masters[0]
tags:
- osbs-worker-namespace
user: root
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
vars:
osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
osbs_environment:
KUBECONFIG: "{{ osbs_kubeconfig_path }}"
roles:
- role: osbs-namespace
osbs_namespace: "{{ osbs_worker_namespace }}"
osbs_service_accounts: "{{ osbs_worker_service_accounts }}"
osbs_nodeselector: "{{ osbs_worker_default_nodeselector|default('') }}"
osbs_sources_command: "{{ osbs_conf_sources_command }}"
- name: setup ODCS secret in worker namespace
hosts: osbs_masters_stg[0]:osbs_masters[0]:osbs_aarch64_masters_stg[0]:osbs_aarch64_masters[0]
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- role: osbs-secret
osbs_namespace: "{{ osbs_worker_namespace }}"
osbs_secret_name: odcs-oidc-secret
osbs_secret_files:
- source: "{{ private }}/files/osbs/{{ env }}/odcs-oidc-token"
dest: token
tags:
- osbs-worker-namespace
- name: Create orchestrator namespace
hosts: osbs_masters_stg[0]:osbs_masters[0]
roles:
- role: osbs-namespace
osbs_orchestrator: true
osbs_worker_clusters: "{{ osbs_conf_worker_clusters }}"
osbs_cpu_limitrange: "{{ osbs_orchestrator_cpu_limitrange }}"
osbs_nodeselector: "{{ osbs_orchestrator_default_nodeselector|default('') }}"
osbs_sources_command: "{{ osbs_conf_sources_command }}"
osbs_readwrite_users: "{{ osbs_conf_readwrite_users }}"
osbs_service_accounts: "{{ osbs_conf_service_accounts }}"
koji_use_kerberos: true
koji_kerberos_keytab: "FILE:/etc/krb5.osbs_{{ osbs_url }}.keytab"
koji_kerberos_principal: "osbs/{{osbs_url}}@{{ ipa_realm }}"
tags:
- osbs-orchestrator-namespace
- name: Add the orchestrator labels to the nodes
hosts: osbs_masters_stg[0]:osbs_masters[0]
tags:
- osbs-labels-nodes
tasks:
- name: Add the orchestrator labels to the nodes
command: "oc -n {{ osbs_namespace }} label nodes {{ item }} orchestrator=true --overwrite"
loop: "{{ groups['osbs_nodes_stg'] }}"
when: env == "staging"
- name: Add the orchestrator labels to the nodes
command: "oc -n {{ osbs_namespace }} label nodes {{ item }} orchestrator=true --overwrite"
loop: "{{ groups['osbs_nodes'] }}"
when: env == "production"
- name: Add the worker labels to the nodes x86_64
hosts: osbs_masters_stg[0]:osbs_masters[0]
tags:
- osbs-labels-nodes
tasks:
- name: Add the worker label
command: "oc -n {{ osbs_worker_namespace }} label nodes {{ item }} worker=true --overwrite"
loop: "{{ groups['osbs_nodes_stg'] }}"
when: env == "staging"
- name: Add the worker label
command: "oc -n {{ osbs_worker_namespace }} label nodes {{ item }} worker=true --overwrite"
loop: "{{ groups['osbs_nodes'] }}"
when: env == "production"
- name: Add the worker labels to the nodes aarch64
hosts: osbs_aarch64_masters_stg[0]:osbs_aarch64_masters[0]
tags:
- osbs-labels-nodes
tasks:
- name: Add the worker label
command: "oc -n {{ osbs_worker_namespace }} label nodes {{ item }} worker=true --overwrite"
loop: "{{ groups['osbs-aarch64-nodes-stg'] }}"
when: env == "staging"
- name: Add the worker label
command: "oc -n {{ osbs_worker_namespace }} label nodes {{ item }} worker=true --overwrite"
loop: "{{ groups['osbs-aarch64-nodes'] }}"
when: env == "production"
- name: setup reactor config secret in orchestrator namespace
hosts: osbs_masters_stg[0]:osbs_masters[0]
roles:
- role: osbs-secret
osbs_secret_name: reactor-config-secret
osbs_secret_files:
- source: "/tmp/{{ osbs_namespace }}-{{ env }}-reactor-config-secret.yml"
dest: config.yaml
tags:
- osbs-orchestrator-namespace
- name: setup ODCS secret in orchestrator namespace
hosts: osbs_masters_stg[0]:osbs_masters[0]
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- role: osbs-secret
osbs_secret_name: odcs-oidc-secret
osbs_secret_files:
- source: "{{ private }}/files/osbs/{{ env }}/odcs-oidc-token"
dest: token
tags:
- osbs-orchestrator-namespace
- name: setup client config secret in orchestrator namespace
hosts: osbs_masters_stg[0]:osbs_masters[0]
roles:
- role: osbs-secret
osbs_secret_name: client-config-secret
osbs_secret_files:
- source: "/tmp/{{ osbs_namespace }}-{{ env }}-client-config-secret.conf"
dest: osbs.conf
tags:
- osbs-orchestrator-namespace
- name: Save orchestrator token x86_64
hosts: osbs_masters_stg[0]:osbs_masters[0]
tasks:
- name: get orchestrator service account token
command: "oc -n {{ osbs_worker_namespace }} sa get-token orchestrator"
register: orchestator_token_x86_64
- name: save the token locally
local_action: >
copy
content="{{ orchestator_token_x86_64.stdout }}"
dest=/tmp/.orchestator-token-x86_64
mode=0400
tags:
- osbs-orchestrator-namespace
- name: setup orchestrator token for x86_64-osbs
hosts: osbs_masters_stg[0]:osbs_masters[0]
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- role: osbs-secret
osbs_secret_name: x86-64-orchestrator
osbs_secret_files:
- source: "/tmp/.orchestator-token-x86_64"
dest: token
post_tasks:
- name: Delete the temporary secret file
local_action: >
file
state=absent
path="/tmp/.orchestator-token-x86_64"
tags:
- osbs-orchestrator-namespace
- name: Save orchestrator token aarch64
hosts: osbs_aarch64_masters_stg[0]:osbs_aarch64_masters[0]
tasks:
- name: get orchestrator service account token
command: "oc -n {{ osbs_worker_namespace }} sa get-token orchestrator"
register: orchestator_token_aarch64
- name: save the token locally
local_action: >
copy
content="{{ orchestator_token_aarch64.stdout }}"
dest=/tmp/.orchestator-token-aarch64
mode=0400
tags:
- osbs-orchestrator-namespace
- name: setup orchestrator token for aarch64-osbs
hosts: osbs_masters_stg[0]:osbs_masters[0]
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- role: osbs-secret
osbs_secret_can_fail: true
osbs_secret_name: aarch64-orchestrator
osbs_secret_files:
- source: "/tmp/.orchestator-token-aarch64"
dest: token
post_tasks:
- name: Delete the temporary secret file
local_action: >
file
state=absent
path="/tmp/.orchestator-token-aarch64"
tags:
- osbs-orchestrator-namespace
- name: Add dockercfg secret to allow registry push orchestrator
hosts: osbs_masters_stg[0]:osbs_masters[0]
tags:
- osbs-dockercfg-secret
user: root
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
pre_tasks:
- name: Create the username:password string needed by the template
set_fact:
auth_info_prod: "{{candidate_registry_osbs_prod_username}}:{{candidate_registry_osbs_prod_password}}"
auth_info_stg: "{{candidate_registry_osbs_stg_username}}:{{candidate_registry_osbs_stg_password}}"
- name: Create the dockercfg secret file
local_action: >
template
src="{{ files }}/osbs/dockercfg-{{env}}-secret.j2"
dest="/tmp/.dockercfg"
mode=0400
roles:
- role: osbs-secret
osbs_secret_name: "v2-registry-dockercfg"
osbs_secret_type: kubernetes.io/dockercfg
osbs_secret_files:
- source: "/tmp/.dockercfg"
dest: .dockercfg
post_tasks:
- name: Delete the temporary secret file
local_action: >
file
state=absent
path="/tmp/.dockercfg"
- name: Add dockercfg secret to allow registry push worker
hosts: osbs_masters_stg[0]:osbs_masters[0]:osbs_aarch64_masters_stg[0]:osbs_aarch64_masters[0]
tags:
- osbs-dockercfg-secret
user: root
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
pre_tasks:
- name: Create the username:password string needed by the template
set_fact:
auth_info_prod: "{{candidate_registry_osbs_prod_username}}:{{candidate_registry_osbs_prod_password}}"
auth_info_stg: "{{candidate_registry_osbs_stg_username}}:{{candidate_registry_osbs_stg_password}}"
- name: Create the dockercfg secret file
local_action: >
template
src="{{ files }}/osbs/dockercfg-{{env}}-secret.j2"
dest="/tmp/.dockercfg"
mode=0400
roles:
- role: osbs-secret
osbs_namespace: "{{ osbs_worker_namespace }}"
osbs_secret_name: "v2-registry-dockercfg"
osbs_secret_type: kubernetes.io/dockercfg
osbs_secret_files:
- source: "/tmp/.dockercfg"
dest: .dockercfg
post_tasks:
- name: Delete the temporary secret file
local_action: >
file
state=absent
path="/tmp/.dockercfg"
- name: post-install master host osbs tasks
hosts: osbs_masters_stg:osbs_masters:osbs_aarch64_masters_stg[0]:osbs_aarch64_masters[0]
tags:
- osbs-post-install
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/private/ansible/files/openstack/passwords.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
vars:
osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
osbs_environment:
KUBECONFIG: "{{ osbs_kubeconfig_path }}"
koji_pki_dir: /etc/pki/koji
koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert"
koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem"
koji_builder_user: dockerbuilder
osbs_builder_user: builder
tasks:
- name: cron entry to clean up old builds
copy:
src: "{{files}}/osbs/cleanup-old-osbs-builds"
dest: "/etc/cron.d/cleanup-old-osbs-builds"
- name: post-install osbs control tasks
hosts: osbs_control
tags: osbs-post-install
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/private/ansible/files/openstack/passwords.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- name: enable nrpe for monitoring (noc01)
iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT
tags:
- iptables
- name: post-install osbs tasks
hosts: osbs_nodes_stg:osbs_nodes:osbs_aarch64_nodes_stg:osbs_aarch64_nodes
tags:
- osbs-post-install
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/private/ansible/files/openstack/passwords.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
vars:
osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
osbs_environment:
KUBECONFIG: "{{ osbs_kubeconfig_path }}"
koji_pki_dir: /etc/pki/koji
koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert"
koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem"
koji_builder_user: dockerbuilder
osbs_builder_user: builder
handlers:
- name: Remove the previous buildroot image
docker_image:
state: absent
name: buildroot
- name: Build the new buildroot container
docker_image:
path: /etc/osbs/buildroot/
name: buildroot
nocache: yes
- name: restart and reload docker service
systemd:
name: docker
state: restarted
daemon_reload: yes
tasks:
- name: enable nrpe for monitoring (noc01)
iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT
tags:
- iptables
- name: copy docker iptables script
copy:
src: "{{files}}/osbs/fix-docker-iptables.{{ env }}"
dest: /usr/local/bin/fix-docker-iptables
mode: 0755
tags:
- iptables
notify:
- restart and reload docker service
- name: copy docker custom service config
copy:
src: "{{files}}/osbs/docker.firewall.service"
dest: /etc/systemd/system/docker.service.d/firewall.conf
tags:
- docker
notify:
- restart and reload docker service
- name: copy the osbs customization file
copy:
src: "{{item}}"
dest: "/etc/osbs/buildroot/"
owner: root
mode: 0600
with_items:
- "{{files}}/osbs/worker_customize.json"
- "{{files}}/osbs/orchestrator_customize.json"
- name: Create buildroot container conf directory
file:
path: "/etc/osbs/buildroot/"
state: directory
- name: Upload Dockerfile for buildroot container
template:
src: "{{ files }}/osbs/buildroot-Dockerfile-{{env}}.j2"
dest: "/etc/osbs/buildroot/Dockerfile"
mode: 0400
notify:
- Remove the previous buildroot image
- Build the new buildroot container
- name: Upload krb5.conf for buildroot container
template:
src: "{{ roles_path }}/base/templates/krb5.conf.j2"
dest: "/etc/osbs/buildroot/krb5.conf"
mode: 0644
notify:
- Remove the previous buildroot image
- Build the new buildroot container
- name: Upload internal CA for buildroot
copy:
src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem"
dest: "/etc/osbs/buildroot/ca.crt"
mode: 0400
notify:
- Remove the previous buildroot image
- Build the new buildroot container
- name: stat infra repofile
stat:
path: "/etc/yum.repos.d/infra-tags.repo"
register: infra_repo_stat
- name: stat /etc/osbs/buildroot/ infra repofile
stat:
path: "/etc/osbs/buildroot/infra-tags.repo"
register: etcosbs_infra_repo_stat
- name: remove old /etc/osbs/buildroot/ infra repofile
file:
path: "/etc/osbs/buildroot/infra-tags.repo"
state: absent
when: etcosbs_infra_repo_stat.stat.exists and infra_repo_stat.stat.checksum != etcosbs_infra_repo_stat.stat.checksum
- name: Copy repofile for buildroot container (because Docker)
copy:
src: "/etc/yum.repos.d/infra-tags.repo"
dest: "/etc/osbs/buildroot/infra-tags.repo"
remote_src: true
notify:
- Remove the previous buildroot image
- Build the new buildroot container
when: etcosbs_infra_repo_stat.stat.exists == false
- name: stat /etc/ keytab
stat:
path: "/etc/krb5.osbs_{{osbs_url}}.keytab"
register: etc_kt_stat
- name: stat /etc/osbs/buildroot/ keytab
stat:
path: "/etc/osbs/buildroot/krb5.osbs_{{osbs_url}}.keytab"
register: etcosbs_kt_stat
- name: remove old hardlink to /etc/osbs/buildroot/ keytab
file:
path: "/etc/osbs/buildroot/krb5.osbs_{{osbs_url}}.keytab"
state: absent
when: etcosbs_kt_stat.stat.exists and etc_kt_stat.stat.checksum != etcosbs_kt_stat.stat.checksum
- name: Hardlink keytab for buildroot container (because Docker)
file:
src: "/etc/krb5.osbs_{{osbs_url}}.keytab"
dest: "/etc/osbs/buildroot/krb5.osbs_{{osbs_url}}.keytab"
state: hard
notify:
- Remove the previous buildroot image
- Build the new buildroot container
when: etcosbs_kt_stat.stat.exists == false
- name: pull fedora required docker images
command: "docker pull {{source_registry}}/{{item}}"
with_items: "{{fedora_required_images}}"
register: docker_pull_fedora
changed_when: "'Downloaded newer image' in docker_pull_fedora.stdout"
- name: enable nrpe for monitoring (noc01)
iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT
Reference in a new issue View git blame Copy permalink