Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions
ansible/playbooks/groups/osbs-cluster.yml
Clement Verna 31510413d0 Update ansible-ansible-openshift-ansible role variables in osbs playbook part2 
Signed-off-by: Clement Verna <cverna@tutanota.com>
2018-06-04 08:39:08 +02:00

964 lines
33 KiB
YAML
Raw Blame History

# create an osbs server
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs-control"
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs-control-stg"
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs-nodes:osbs-masters"
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=osbs-nodes-stg:osbs-masters-stg"
- name: make the box be real
hosts: osbs-control:osbs-masters:osbs-nodes:osbs-control-stg:osbs-masters-stg:osbs-nodes-stg
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
pre_tasks:
- import_tasks: "{{ tasks_path }}/yumrepos.yml"
roles:
- base
- rkhunter
- nagios_client
- hosts
- fas_client
- sudo
- collectd/base
- rsyncd
tasks:
- import_tasks: "{{ tasks_path }}/2fa_client.yml"
- import_tasks: "{{ tasks_path }}/motd.yml"
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"
- name: OSBS control hosts pre-req setup
hosts: osbs-control:osbs-control-stg
tags:
- osbs-cluster-prereq
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- name: deploy private key to control hosts
copy:
src: "{{private}}/files/osbs/{{env}}/control_key"
dest: "/root/.ssh/id_rsa"
owner: root
mode: 0600
- name: set ansible to use pipelining
ini_file:
dest: /etc/ansible/ansible.cfg
section: ssh_connection
option: pipelining
value: "True"
- name: Setup cluster masters pre-reqs
hosts: osbs-masters-stg:osbs-masters
tags:
- osbs-cluster-prereq
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- name: ensure origin conf dir exists
file:
path: "/etc/origin"
state: "directory"
- name: create cert dir for openshift public facing REST API SSL
file:
path: "/etc/origin/master/named_certificates"
state: "directory"
- name: install cert for openshift public facing REST API SSL
copy:
src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem"
dest: "/etc/origin/master/named_certificates/{{osbs_url}}.pem"
- name: install key for openshift public facing REST API SSL
copy:
src: "{{private}}/files/osbs/{{env}}/osbs-internal.key"
dest: "/etc/origin/master/named_certificates/{{osbs_url}}.key"
- name: place htpasswd file
copy:
src: "{{private}}/files/httpd/osbs-{{env}}.htpasswd"
dest: /etc/origin/htpasswd
- name: Setup cluster hosts pre-reqs
hosts: osbs-masters-stg:osbs-nodes-stg:osbs-masters:osbs-nodes
tags:
- osbs-cluster-prereq
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
handlers:
- name: restart NetworkManager
service:
name: NetworkManager
state: restarted
tasks:
- name: Install necessary packages that openshift-ansible needs
package: name="{{ item }}" state=installed
with_items:
- tar
- rsync
- dbus-python
- NetworkManager
- libselinux-python
- origin
- python3-PyYAML
- name: Deploy controller public ssh keys to osbs cluster hosts
authorized_key:
user: root
key: "{{ lookup('file', '{{private}}/files/osbs/{{env}}/control_key.pub') }}"
# This is required for OpenShift built-in SkyDNS inside the overlay network
# of the cluster
- name: ensure NM_CONTROLLED is set to "yes" for osbs cluster
lineinfile:
dest: "/etc/sysconfig/network-scripts/ifcfg-eth0"
line: "NM_CONTROLLED=yes"
notify:
- restart NetworkManager
# This is required for OpenShift built-in SkyDNS inside the overlay network
# of the cluster
- name: ensure NetworkManager is enabled and started
service:
name: NetworkManager
state: started
enabled: yes
- name: cron entry to clean up docker storage
copy:
src: "{{files}}/osbs/cleanup-docker-storage"
dest: "/etc/cron.d/cleanup-docker-storage"
- name: copy docker-storage-setup config
copy:
src: "{{files}}/osbs/docker-storage-setup"
dest: "/etc/sysconfig/docker-storage-setup"
- name: Deploy kerberose keytab to cluster hosts
hosts: osbs-masters-stg:osbs-nodes-stg:osbs-masters:osbs-nodes
tags:
- osbs-cluster-prereq
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- role: keytab/service
owner_user: root
owner_group: root
service: osbs
host: "osbs.fedoraproject.org"
when: env == "production"
- role: keytab/service
owner_user: root
owner_group: root
service: osbs
host: "osbs.stg.fedoraproject.org"
when: env == "staging"
- name: Deploy OpenShift Cluster
hosts: osbs-control:osbs-control-stg
tags:
- osbs-deploy-openshift
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- {
role: ansible-ansible-openshift-ansible,
cluster_inventory_filename: "cluster-inventory-stg",
openshift_htpasswd_file: "/etc/origin/htpasswd",
openshift_master_public_api_url: "https://{{ osbs_url }}:8443",
openshift_release: "v3.6.0",
openshift_ansible_path: "/root/openshift-ansible",
openshift_ansible_playbook: "playbooks/byo/config.yml",
openshift_ansible_version: "release-3.6-fedora-compat",
openshift_ansible_ssh_user: root,
openshift_ansible_install_examples: false,
openshift_ansible_containerized_deploy: false,
openshift_cluster_masters_group: "osbs-masters-stg",
openshift_cluster_nodes_group: "osbs-nodes-stg",
openshift_cluster_infra_group: "osbs-masters-stg",
openshift_auth_profile: "osbs",
openshift_cluster_url: "{{osbs_url}}",
openshift_master_ha: false,
openshift_debug_level: 2,
openshift_shared_infra: true,
openshift_deployment_type: "origin",
openshift_ansible_python_interpreter: "/usr/bin/python3",
openshift_ansible_use_crio: false,
openshift_ansible_crio_only: false,
when: env == 'staging',
tags: ['openshift-cluster','ansible-ansible-openshift-ansible']
}
- {
role: ansible-ansible-openshift-ansible,
cluster_inventory_filename: "cluster-inventory",
openshift_htpasswd_file: "/etc/origin/htpasswd",
openshift_master_public_api_url: "https://{{ osbs_url }}:8443",
openshift_release: "v3.6.0",
openshift_ansible_path: "/root/openshift-ansible",
openshift_ansible_playbook: "playbooks/byo/config.yml",
openshift_ansible_version: "release-3.6-fedora-compat",
openshift_ansible_ssh_user: root,
openshift_ansible_install_examples: false,
openshift_ansible_containerized_deploy: false,
openshift_cluster_masters_group: "osbs-masters",
openshift_cluster_nodes_group: "osbs-nodes",
openshift_cluster_infra_group: "osbs-masters",
openshift_auth_profile: "osbs",
openshift_cluster_url: "{{osbs_url}}",
openshift_master_ha: false,
openshift_debug_level: 2,
openshift_shared_infra: true,
openshift_deployment_type: "origin",
openshift_ansible_python_interpreter: "/usr/bin/python3",
when: env == 'production',
tags: ['openshift-cluster','ansible-ansible-openshift-ansible']
}
- name: Setup OSBS requirements for OpenShift cluster hosts
hosts: osbs-masters-stg:osbs-nodes-stg:osbs-masters:osbs-nodes
tags:
- osbs-cluster-req
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- {
role: osbs-common,
osbs_manage_firewalld: false,
}
- {
role: push-docker,
docker_cert_name: "containerbuild",
docker_cert_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org",
when: env == "staging"
}
- {
role: "manage-container-images",
cert_dest_dir: "/etc/docker/certs.d/candidate-registry.stg.fedoraproject.org",
cert_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.pem",
key_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.key",
when: env == "staging"
}
- {
role: "manage-container-images",
cert_dest_dir: "/etc/docker/certs.d/registry.stg.fedoraproject.org",
cert_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.pem",
key_src: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.key",
when: env == "staging"
}
- {
role: push-docker,
docker_cert_name: "containerbuild",
docker_cert_dir: "/etc/docker/certs.d/candidate-registry.fedoraproject.org",
when: env == "production"
}
handlers:
- name: restart dnsmasq
service:
name: dnsmasq
state: restarted
tasks:
- name: Ensures /etc/dnsmasq.d/ dir exists
file: path="/etc/dnsmasq.d/" state=directory
- name: install fedora dnsmasq specific config
copy:
src: "{{files}}/osbs/fedora-dnsmasq.conf.{{env}}"
dest: "/etc/dnsmasq.d/fedora-dns.conf"
- name: Setup requirements for OpenShift master
hosts: osbs-masters-stg:osbs-masters
tags:
- osbs-master-req
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- name: set policy for koji builder in openshift for osbs
command: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_prod_username }} && touch /etc/origin/koji-builder-policy-added"
args:
creates: "/etc/origin/koji-builder-policy-added"
when: env == "production"
- name: set policy for koji builder in openshift for atomic-reactor
command: "oadm policy add-role-to-user -n default edit system:serviceaccount:default:builder && touch /etc/origin/atomic-reactor-policy-added"
args:
creates: "/etc/origin/atomic-reactor-policy-added"
when: env == "production"
- name: Deploy OSBS on top of OpenShift
hosts: osbs-masters-stg[0]:osbs-masters[0]
tags:
- osbs-deploy-on-openshift
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
vars:
osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
osbs_environment:
KUBECONFIG: "{{ osbs_kubeconfig_path }}"
roles:
- {
role: osbs-on-openshift,
osbs_openshift_home: "/var/lib/origin",
osbs_namespace: "default",
osbs_namespace_create: "false",
osbs_kubeconf_path: "/etc/origin/master/admin.kubeconfig",
osbs_environment: [
KUBECONFIG: "{{ osbs_kubeconfig_path }}"
],
osbs_service_accounts: [],
osbs_readonly_users: [],
osbs_readonly_groups: [],
osbs_readwrite_users: ["{{ osbs_koji_prod_username }}"],
osbs_readwrite_groups: [ "system:authenticated"],
osbs_admin_users: [],
osbs_admin_groups: [],
osbs_docker_registry: false,
osbs_docker_registry_storage: "/opt/openshift-registry",
when: env == "production"
}
tasks:
- name: set custom build policy for koji builder in openshift for osbs
command: "oc adm policy add-role-to-user -n default osbs-custom-build {{ osbs_koji_prod_username }} --role-namespace=default && touch /etc/origin/koji-custom-build-policy-added"
args:
creates: "/etc/origin/koji-builder-policy-added"
when: env == "production"
environment: "{{ osbs_environment }}"
- name: set custom build policy for builder service account in openshift for osbs
command: "oc adm policy add-role-to-user -n default osbs-custom-build system:serviceaccount:default:builder --role-namespace=default && touch /etc/origin/koji-builder-policy-added"
args:
creates: "/etc/origin/koji-builder-policy-added"
when: env == "production"
environment: "{{ osbs_environment }}"
- name: Create worker namespace
hosts: osbs-masters-stg[0]
tags:
- osbs-worker-namespace
user: root
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
vars:
osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
osbs_environment:
KUBECONFIG: "{{ osbs_kubeconfig_path }}"
roles:
- role: osbs-namespace
osbs_namespace: "{{ osbs_worker_namespace }}"
osbs_service_accounts: "{{ osbs_worker_service_accounts }}"
osbs_nodeselector: "{{ osbs_worker_default_nodeselector|default('') }}"
osbs_authoritative_registry: "{{ source_registry }}"
osbs_sources_command: "{{ osbs_conf_sources_command }}"
osbs_vendor: "{{ osbs_conf_vendor }}"
when: env == "staging"
- name: setup koji secret in worker namespace
hosts: osbs-masters-stg[0]
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tags:
- osbs-worker-namespace
roles:
- role: osbs-secret
osbs_namespace: "{{ osbs_worker_namespace }}"
osbs_secret_name: kojisecret
osbs_secret_files:
- source: "{{ private }}/files/koji/containerbuild.pem"
dest: cert
when: env == "staging"
- name: setup dist registry secret in worker namespace
hosts: osbs-masters-stg[0]
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tags:
- osbs-worker-namespace
roles:
- role: osbs-secret
osbs_namespace: "{{ osbs_worker_namespace }}"
osbs_secret_name: registry-secret
osbs_secret_files:
- source: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.pem"
dest: client.cert
- source: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.key"
dest: client.key
when: env == "staging"
- name: Create orchestrator namespace
hosts: osbs-masters-stg[0]
roles:
- role: osbs-namespace
osbs_orchestrator: true
osbs_worker_clusters: "{{ osbs_conf_worker_clusters }}"
osbs_cpu_limitrange: "{{ osbs_orchestrator_cpu_limitrange }}"
osbs_nodeselector: "{{ osbs_orchestrator_default_nodeselector|default('') }}"
osbs_authoritative_registry: "{{ source_registry }}"
osbs_sources_command: "{{ osbs_conf_sources_command }}"
osbs_vendor: "{{ osbs_conf_vendor }}"
osbs_readwrite_users: "{{ osbs_conf_readwrite_users }}"
osbs_service_accounts: "{{ osbs_conf_service_accounts }}"
osbs_registry_uri: "https://{{ docker_registry }}/v2"
osbs_source_registry_uri: "https://{{ source_registry }}/v2"
koji_use_kerberos: true
koji_kerberos_keytab: "FILE:/etc/krb5.osbs_{{ osbs_url }}.keytab"
koji_kerberos_principal: "osbs/{{osbs_url}}@{{ ipa_realm }}"
when: env == "staging"
tags:
- osbs-orchestrator-namespace
- name: Add the worker/orchestrator labels to the nodes
hosts: osbs-masters-stg[0]
tags:
- osbs-labels-nodes
tasks:
- name: Add the worker label
command: "oc -n {{ osbs_worker_namespace }} label nodes {{ item }} worker=true --overwrite"
loop: "{{ groups['osbs-nodes-stg'] }}"
- name: Add the orchestrator labels to the nodes
command: "oc -n {{ osbs_namespace }} label nodes {{ item }} orchestrator=true --overwrite"
loop: "{{ groups['osbs-nodes-stg'] }}"
- name: setup reactor config secret in orchestrator namespace
hosts: osbs-masters-stg[0]
roles:
- role: osbs-secret
osbs_secret_name: reactor-config-secret
osbs_secret_files:
- source: "/tmp/{{ osbs_namespace }}-reactor-config-secret.yml"
dest: config.yaml
when: env == "staging"
tags:
- osbs-orchestrator-namespace
- name: setup ODCS secret in orchestrator namespace
hosts: osbs-masters-stg[0]
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- role: osbs-secret
osbs_secret_name: odcs-oidc-secret
osbs_secret_files:
- source: "{{ private }}/files/osbs/staging/odcs-oidc-token"
dest: token
when: env == "staging"
tags:
- osbs-orchestrator-namespace
- name: setup client config secret in orchestrator namespace
hosts: osbs-masters-stg[0]
roles:
- role: osbs-secret
osbs_secret_name: client-config-secret
osbs_secret_files:
- source: "/tmp/{{ osbs_namespace }}-client-config-secret.conf"
dest: osbs.conf
when: env == "staging"
tags:
- osbs-orchestrator-namespace
- name: setup koji secret in orchestrator namespace
hosts: osbs-masters-stg[0]
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- role: osbs-secret
osbs_secret_name: kojisecret
osbs_secret_files:
- source: "{{ private }}/files/koji/containerbuild.pem"
dest: cert
when: env == "staging"
tags:
- osbs-orchestrator-namespace
- name: setup dist registry secret in orchestrator namespace
hosts: osbs-masters-stg[0]
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- role: osbs-secret
osbs_secret_name: registry-secret
osbs_secret_files:
- source: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.pem"
dest: client.cert
- source: "{{private}}/files/docker-registry/{{env}}/docker-registry-internal.key"
dest: client.key
when: env == "staging"
tags:
- osbs-orchestrator-namespace
- name: setup orchestrator token for x86_64-osbs
hosts: osbs-masters-stg[0]
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- role: osbs-secret
osbs_secret_name: x86-64-osbs
osbs_secret_files:
- source: "{{ private }}/files/osbs/staging/x86-64-osbs-stg-orchestrator"
dest: token
when: env == "staging"
tags:
- osbs-orchestrator-namespace
- name: Manage docker images and image stream
hosts: osbs-masters-stg[0]:osbs-masters[0]
tags:
- osbs-post-install
- manage-docker-images
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/private/ansible/files/openstack/passwords.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
vars:
osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
osbs_environment:
KUBECONFIG: "{{ osbs_kubeconfig_path }}"
koji_pki_dir: /etc/pki/koji
koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert"
koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem"
koji_builder_user: dockerbuilder
osbs_builder_user: builder
tasks:
- name: pull fedora required docker images
command: "docker pull {{item}}"
with_items: "{{fedora_required_images}}"
delegate_to: "{{ composer }}"
register: docker_pull_fedora_delegated
changed_when: "'Downloaded newer image' in docker_pull_fedora_delegated.stdout"
- name: tag fedora required docker images for our registry
command: "docker tag {{item}} {{docker_registry}}/{{item}}"
with_items: "{{fedora_required_images}}"
delegate_to: "{{ composer }}"
when: docker_pull_fedora_delegated is changed
- name: push fedora required docker images to our registry
command: "docker push {{docker_registry}}/{{item}}"
with_items: "{{fedora_required_images}}"
delegate_to: "{{ composer }}"
when: docker_pull_fedora_delegated is changed
- name: register origin_version_out rpm query
command: "rpm -q origin --qf '%{Version}'"
register: origin_version_out
check_mode: no
changed_when: False
- set_fact:
origin_version: "{{origin_version_out.stdout}}"
- name: pull openshift required docker images
command: "docker pull {{item}}:v{{origin_version}}"
with_items: "{{openshift_required_images}}"
delegate_to: "{{ composer }}"
register: docker_pull_openshift_delegated
changed_when: "'Downloaded newer image' in docker_pull_openshift_delegated.stdout"
- name: tag openshift required docker images for our registry
command: "docker tag {{item}}:v{{origin_version}} {{docker_registry}}/{{item}}:v{{origin_version}}"
with_items: "{{openshift_required_images}}"
delegate_to: "{{ composer }}"
when: docker_pull_openshift_delegated is changed
- name: push openshift required docker images to our registry
command: "docker push {{docker_registry}}/{{item}}:v{{origin_version}}"
with_items: "{{openshift_required_images}}"
delegate_to: "{{ composer }}"
when: docker_pull_openshift_delegated is changed
- name: create fedora image stream for OpenShift
command: "echo '{ \"apiVersion\": \"v1\", \"kind\": \"ImageStream\", \"metadata\": { \"name\": \"fedora\" }, \"spec\": { \"dockerImageRepository\": \"{{docker_registry}}/fedora\" } }' | oc create -f - && touch /etc/origin/fedoraimagestreamcreated"
environment: "{{ osbs_environment }}"
args:
creates: /etc/origin/fedoraimagestreamcreated
- name: post-install master host osbs tasks
hosts: osbs-masters-stg:osbs-masters
tags:
- osbs-post-install
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/private/ansible/files/openstack/passwords.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
vars:
osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
osbs_environment:
KUBECONFIG: "{{ osbs_kubeconfig_path }}"
koji_pki_dir: /etc/pki/koji
koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert"
koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem"
koji_builder_user: dockerbuilder
osbs_builder_user: builder
handlers:
- name: oc secrets new
command: "oc secrets new koji cert={{ koji_cert_path }} ca={{ koji_ca_cert_path }} serverca={{ koji_ca_cert_path }}"
environment: "{{ osbs_environment }}"
notify: oc secrets add
- name: oc secrets add
command: "oc secrets add serviceaccount/{{ osbs_builder_user }} secrets/koji --for=mount"
environment: "{{ osbs_environment }}"
tasks:
- name: Ensure koji dockerbuilder cert path exists
file:
path: "{{ koji_pki_dir }}"
state: "directory"
mode: 0400
- name: Add koji dockerbuilder cert for Content Generator import
copy:
src: "{{private}}/files/koji/containerbuild.pem"
dest: "{{ koji_cert_path }}"
notify: oc secrets new
- name: Add koji dockerbuilder ca cert for Content Generator import
copy:
src: "{{private}}/files/koji/buildercerts/fedora-ca.cert"
dest: "{{ koji_ca_cert_path }}"
notify: oc secrets new
- name: cron entry to clean up old builds
copy:
src: "{{files}}/osbs/cleanup-old-osbs-builds"
dest: "/etc/cron.d/cleanup-old-osbs-builds"
- name: post-install osbs control tasks
hosts: osbs-control
tags: osbs-post-install
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/private/ansible/files/openstack/passwords.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- name: enable nrpe for monitoring (noc01)
iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT
tags:
- iptables
- name: post-install osbs tasks
hosts: osbs-masters-stg:osbs-nodes-stg:osbs-masters:osbs-nodes
tags:
- osbs-post-install
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/private/ansible/files/openstack/passwords.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
vars:
osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig
osbs_environment:
KUBECONFIG: "{{ osbs_kubeconfig_path }}"
koji_pki_dir: /etc/pki/koji
koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert"
koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem"
koji_builder_user: dockerbuilder
osbs_builder_user: builder
handlers:
- name: Remove the previous buildroot image
docker_image:
state: absent
name: buildroot
- name: Build the new buildroot container
docker_image:
path: /etc/osbs/buildroot/
name: buildroot
nocache: yes
- name: restart and reload docker service
systemd:
name: docker
state: restarted
daemon_reload: yes
roles:
- {
role: osbs-client,
general: {
verbose: 0,
build_json_dir: '/etc/osbs/input/',
openshift_required_version: 1.1.0,
},
default: {
username: "{{ osbs_koji_prod_username }}",
password: "{{ osbs_koji_prod_password }}",
koji_use_kerberos: True,
koji_kerberos_keytab: "FILE:/etc/krb5.osbs_{{osbs_url}}.keytab",
koji_kerberos_principal: "osbs/{{osbs_url}}@{{ipa_realm}}",
openshift_url: 'https://{{osbs_url}}/',
registry_uri: 'https://{{docker_registry}}/v2',
source_registry_uri: 'https://{{source_registry}}/v2',
build_host: '{{osbs_url}}',
koji_root: 'https://{{koji_url}}/koji',
koji_hub: 'https://{{koji_url}}/kojihub',
sources_command: 'fedpkg sources',
build_type: 'prod',
authoritative_registry: 'registry.fedoraproject.org',
vendor: 'Fedora Project',
verify_ssl: true,
use_auth: true,
builder_use_auth: true,
distribution_scope: 'private',
registry_api_versions: 'v2',
builder_openshift_url: 'https://{{osbs_url}}'
},
when: env == "production"
}
tasks:
- name: enable nrpe for monitoring (noc01)
iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT
tags:
- iptables
- name: copy docker iptables script
copy:
src: "{{files}}/osbs/fix-docker-iptables.{{ env }}"
dest: /usr/local/bin/fix-docker-iptables
mode: 0755
tags:
- iptables
notify:
- restart and reload docker service
- name: copy docker custom service config
copy:
src: "{{files}}/osbs/docker.firewall.service"
dest: /etc/systemd/system/docker.service.d/firewall.conf
tags:
- docker
notify:
- restart and reload docker service
- name: Create buildroot container conf directory
file:
path: "/etc/osbs/buildroot/"
state: directory
- name: Upload Dockerfile for buildroot container
template:
src: "{{ files }}/osbs/buildroot-Dockerfile-{{env}}.j2"
dest: "/etc/osbs/buildroot/Dockerfile"
mode: 0400
notify:
- Remove the previous buildroot image
- Build the new buildroot container
- name: Upload krb5.conf for buildroot container
template:
src: "{{ roles_path }}/base/templates/krb5.conf.j2"
dest: "/etc/osbs/buildroot/krb5.conf"
mode: 0644
notify:
- Remove the previous buildroot image
- Build the new buildroot container
- name: Upload internal CA for buildroot
copy:
src: "{{private}}/files/osbs/{{env}}/osbs-internal.pem"
dest: "/etc/osbs/buildroot/ca.crt"
mode: 0400
notify:
- Remove the previous buildroot image
- Build the new buildroot container
- name: stat infra repofile
stat:
path: "/etc/yum.repos.d/infra-tags.repo"
register: infra_repo_stat
- name: stat /etc/osbs/buildroot/ infra repofile
stat:
path: "/etc/osbs/buildroot/infra-tags.repo"
register: etcosbs_infra_repo_stat
- name: remove old /etc/osbs/buildroot/ infra repofile
file:
path: "/etc/osbs/buildroot/infra-tags.repo"
state: absent
when: etcosbs_infra_repo_stat.stat.exists and infra_repo_stat.stat.checksum != etcosbs_infra_repo_stat.stat.checksum
- name: Copy repofile for buildroot container (because Docker)
copy:
src: "/etc/yum.repos.d/infra-tags.repo"
dest: "/etc/osbs/buildroot/infra-tags.repo"
remote_src: true
notify:
- Remove the previous buildroot image
- Build the new buildroot container
when: etcosbs_infra_repo_stat.stat.exists == false
- name: stat /etc/ keytab
stat:
path: "/etc/krb5.osbs_{{osbs_url}}.keytab"
register: etc_kt_stat
- name: stat /etc/osbs/buildroot/ keytab
stat:
path: "/etc/osbs/buildroot/krb5.osbs_{{osbs_url}}.keytab"
register: etcosbs_kt_stat
- name: remove old hardlink to /etc/osbs/buildroot/ keytab
file:
path: "/etc/osbs/buildroot/krb5.osbs_{{osbs_url}}.keytab"
state: absent
when: etcosbs_kt_stat.stat.exists and etc_kt_stat.stat.checksum != etcosbs_kt_stat.stat.checksum
- name: Hardlink keytab for buildroot container (because Docker)
file:
src: "/etc/krb5.osbs_{{osbs_url}}.keytab"
dest: "/etc/osbs/buildroot/krb5.osbs_{{osbs_url}}.keytab"
state: hard
notify:
- Remove the previous buildroot image
- Build the new buildroot container
when: etcosbs_kt_stat.stat.exists == false
- name: pull fedora required docker images
command: "docker pull {{docker_registry}}/{{item}}"
with_items: "{{fedora_required_images}}"
register: docker_pull_fedora
changed_when: "'Downloaded newer image' in docker_pull_fedora.stdout"
- name: register origin_version_out rpm query
command: "rpm -q origin --qf '%{Version}'"
register: origin_version_out
check_mode: no
changed_when: False
- set_fact:
origin_version: "{{origin_version_out.stdout}}"
- name: pull openshift required docker images
command: "docker pull {{docker_registry}}/{{item}}:v{{origin_version}}"
with_items: "{{openshift_required_images}}"
register: docker_pull_openshift
changed_when: "'Downloaded newer image' in docker_pull_openshift.stdout"
when: env == "production"
- name: tag openshift required docker images locally
command: "docker tag {{docker_registry}}/{{item}}:v{{origin_version}} {{item}}:v{{origin_version}}"
with_items: "{{openshift_required_images}}"
when:
- docker_pull_openshift is changed
- env == "production"
- set_fact:
docker_pull_openshift: "{{ docker_pull_openshift }}"
- name: Post-Install image stream refresh
hosts: osbs-masters[0]:osbs-masters-stg[0]
tags:
- osbs-post-install
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/private/ansible/files/openstack/passwords.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- name: refresh fedora image streams
command: "oc import-image fedora --all"
when: env == "staging" and hostvars[groups["osbs-masters-stg"][0]]["docker_pull_fedora"] is changed
- name: refresh fedora image streams
command: "oc import-image fedora --all"
when: env == "production" and hostvars[groups["osbs-masters"][0]]["docker_pull_fedora"] is changed
- name: enable nrpe for monitoring (noc01)
iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.5.126.41 state=present jump=ACCEPT
# - name: enable nrpe for monitoring (noc01.stg)
# iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=1#0.5.126.2 state=present jump=ACCEPT
Reference in a new issue View git blame Copy permalink