Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions
ansible/playbooks/groups/os-cluster.yml

272 lines
8.8 KiB
YAML
Raw Blame History

# create an os server
- import_playbook: "/srv/web/infra/ansible/playbooks/include/virt-create.yml myhosts=os_control_stg:os_control:os_nodes_stg:os_masters_stg:os_nodes:os_masters"
- name: make the box be real
hosts: os_control:os_control_stg:os_masters_stg:os_nodes_stg:os_masters:os_nodes
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- base
- rkhunter
- nagios_client
- hosts
- { role: fas_client, when: env != 'staging' }
- { role: ipa/client, when: env == "staging" }
- collectd/base
- rsyncd
- sudo
- { role: openvpn/client, when: env != "staging" }
tasks:
- name: put openshift repo on os- systems
template: src="{{ files }}/openshift/openshift.repo" dest="/etc/yum.repos.d/openshift.repo"
tags:
- config
- packages
- yumrepos
- name: Deploy controller public ssh keys to osbs cluster hosts
authorized_key:
user: root
key: "{{ lookup('file', '{{private}}/files/os/{{env}}/control_key.pub') }}"
- name: copy docker-storage-setup config
copy:
src: "{{files}}/osbs/docker-storage-setup"
dest: "/etc/sysconfig/docker-storage-setup"
- name: install redhat ca file
package:
name: subscription-manager-rhsm-certificates
state: present
- import_tasks: "{{ tasks_path }}/yumrepos.yml"
- import_tasks: "{{ tasks_path }}/2fa_client.yml"
when: env != 'staging'
- import_tasks: "{{ tasks_path }}/motd.yml"
handlers:
- import_tasks: "{{ handlers_path }}/restart_services.yml"
- name: OSBS control hosts pre-req setup
hosts: os_control:os_control_stg
tags:
- os-cluster-prereq
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- name: fix hosts file
copy:
src: "{{roles_path}}/hosts/files/os-hosts"
dest: "/etc/hosts"
owner: root
mode: 0644
- name: deploy private key to control hosts
copy:
src: "{{private}}/files/os/{{env}}/control_key"
dest: "/root/.ssh/id_rsa"
owner: root
mode: 0600
- name: set ansible to use pipelining
ini_file:
dest: /etc/ansible/ansible.cfg
section: ssh_connection
option: pipelining
value: "True"
- name: Install htpasswd (used in installs)
package: name=httpd-tools state=present
- name: Install java (used in installs)
package: name=java-1.8.0-openjdk-headless state=present
- name: Install python-passlib (used in installs)
package: name=python-passlib state=present
- name: Pre tasks for master/nodes
hosts: os_masters_stg:os_masters
tags:
- os-cluster-deploy
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- name: make sure the directory for the link is there.
file: path=/etc/origin/master state=directory mode=0755
- name: setup link to known ca list for id.fedoraproject.org
file: state=link src=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem dest=/etc/origin/master/fedoraidp_openid_ca.crt
- name: Deploy OpenShift cluster
hosts: os_control:os_control_stg
tags:
- os-cluster-deploy
user: root
gather_facts: True
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- "/srv/private/ansible/vars.yml"
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
roles:
- {
role: ansible-ansible-openshift-ansible,
cluster_inventory_filename: "cluster-inventory-stg",
openshift_release: "v3.11",
openshift_ansible_path: "/root/openshift-ansible",
openshift_ansible_pre_playbook: "playbooks/prerequisites.yml",
openshift_ansible_playbook: "playbooks/deploy_cluster.yml",
openshift_ansible_version: "openshift-ansible-3.11.216-1",
openshift_ansible_ssh_user: root,
openshift_ansible_install_examples: true,
openshift_ansible_containerized_deploy: false,
openshift_cluster_masters_group: "os_masters_stg",
openshift_cluster_nodes_group: "os_nodes_stg",
openshift_cluster_infra_group: "os_nodes_stg",
openshift_auth_profile: "fedoraidp-stg",
openshift_master_ha: true,
openshift_debug_level: 1,
openshift_deployment_type: "openshift-enterprise",
openshift_cluster_url: "{{ os_url}}",
openshift_app_subdomain: "{{ os_app_url }}",
openshift_internal_cluster_url: "os-masters{{ env_suffix }}.iad2.fedoraproject.org",
openshift_api_port: 443,
openshift_console_port: 443,
openshift_shared_infra: true,
openshift_ansible_use_crio: true,
openshift_ansible_crio_only: false,
when: env == 'staging',
tags: ['openshift-cluster','ansible-ansible-openshift-ansible']
}
- {
role: ansible-ansible-openshift-ansible,
cluster_inventory_filename: "cluster-inventory",
openshift_release: "v3.11",
openshift_ansible_path: "/root/openshift-ansible",
openshift_ansible_pre_playbook: "playbooks/prerequisites.yml",
openshift_ansible_playbook: "playbooks/deploy_cluster.yml",
openshift_ansible_version: "openshift-ansible-3.11.216-1",
openshift_ansible_ssh_user: root,
openshift_ansible_install_examples: true,
openshift_ansible_containerized_deploy: false,
openshift_cluster_masters_group: "os_masters",
openshift_cluster_nodes_group: "os_nodes",
openshift_cluster_infra_group: "os_nodes",
openshift_auth_profile: "fedoraidp",
openshift_master_ha: true,
openshift_debug_level: 1,
openshift_deployment_type: "openshift-enterprise",
openshift_cluster_url: "{{ os_url}}",
openshift_app_subdomain: "{{ os_app_url }}",
openshift_internal_cluster_url: "os-masters{{ env_suffix }}.iad2.fedoraproject.org",
openshift_api_port: 443,
openshift_console_port: 443,
openshift_shared_infra: true,
openshift_ansible_use_crio: true,
openshift_ansible_crio_only: false,
when: env != 'staging' and datacenter == 'iad2',
tags: ['openshift-cluster','ansible-ansible-openshift-ansible']
}
- name: Post-Install setup
hosts: os_stg:os
tags:
- os-post-install
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- name: enable nrpe for monitoring (noc01)
iptables: action=insert chain=INPUT destination_port=5666 protocol=tcp source=10.3.163.10 state=present jump=ACCEPT
tags:
- iptables
- name: Post-Install master setup
hosts: os_masters_stg:os_masters
tags:
- os-post-install
vars_files:
- /srv/web/infra/ansible/vars/global.yml
- /srv/private/ansible/vars.yml
- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
tasks:
- name: Disallow users from provisioning
command: oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated system:authenticated:oauth
changed_when: false
register: command_result
failed_when: "' removed:' not in command_result.stdout and 'unable to find target' not in command_result.stderr"
run_once: True
- name: Allow some users cluster admin
command: oadm policy add-cluster-role-to-user cluster-admin {{item}}
with_items:
- puiterwijk
- kevin
- codeblock
- smooge
changed_when: false
- name: Set all app owners to have cluster-monitoring-view
command: oadm policy add-cluster-role-to-user cluster-monitoring-view {{item}}
with_items:
- abompard
- asaleh
- bowlofeggs
- cverna
- dcallagh
- dustymabe
- gnaponie
- jlebon
- lholecek
- lucab
- misc
- mizdebsk
- mjia
- mohanboddu
- pingou
- ralph
- sanja
- siddharthvipul1
- walters
- zlopez
changed_when: false
- name: Enable wildcard routes
command: oc -n default set env dc/router ROUTER_ALLOW_WILDCARD_ROUTES=true
changed_when: false
- name: Add a cleanup cron job to the nodes
hosts: os_nodes_stg:os_nodes
tags:
- os-node-cleanup
tasks:
- name: Ensure a job that runs every Mondays to clean old docker images from the nodes.
cron:
name: "remove docker dangling images"
weekday: "1"
minute: "0"
hour: "0"
job: "docker rmi $(docker images --filter dangling=true -q)"
state: present
Reference in a new issue View git blame Copy permalink