From 2f7bcc6a033a230884825f02dd046260a11d27d0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicolas=20Mass=C3=A9?= Date: Wed, 15 May 2019 11:28:40 +0200 Subject: [PATCH] server re-install --- README.md | 123 ++++- openshift-ansible | 2 +- .../configure-openshift-access-control.yml | 15 +- playbooks/deploy-prometheus.yml | 60 -- playbooks/preparation.yml | 1 - ...sion-global-templates-and-imagestreams.yml | 7 - playbooks/site.yml | 11 +- playbooks/switch-to-iptables.yml | 15 - prod.hosts | 40 +- roles/base/tasks/main.yml | 10 +- .../{name-resolution => base}/templates/hosts | 2 - roles/hostpath-provisioner/tasks/main.yml | 2 +- roles/name-resolution/tasks/main.yml | 48 -- roles/name-resolution/templates/dnsmasq.conf | 28 - roles/name-resolution/templates/resolv.conf | 5 - roles/openshift-prereq/tasks/main.yml | 8 +- roles/openshift-templates/defaults/main.yml | 3 - .../files/sso71-allinone.yaml | 520 ------------------ roles/openshift-templates/tasks/main.yml | 105 ---- roles/sso/defaults/main.yml | 8 - roles/sso/tasks/main.yml | 64 --- 21 files changed, 164 insertions(+), 913 deletions(-) delete mode 100644 playbooks/deploy-prometheus.yml delete mode 100644 playbooks/provision-global-templates-and-imagestreams.yml delete mode 100644 playbooks/switch-to-iptables.yml rename roles/{name-resolution => base}/templates/hosts (88%) delete mode 100644 roles/name-resolution/tasks/main.yml delete mode 100644 roles/name-resolution/templates/dnsmasq.conf delete mode 100644 roles/name-resolution/templates/resolv.conf delete mode 100644 roles/openshift-templates/defaults/main.yml delete mode 100644 roles/openshift-templates/files/sso71-allinone.yaml delete mode 100644 roles/openshift-templates/tasks/main.yml delete mode 100644 roles/sso/defaults/main.yml delete mode 100644 roles/sso/tasks/main.yml diff --git a/README.md b/README.md index 6c01bb6..9df3fa9 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,123 @@ # OpenShift-Lab -This project is my Ansible Playbook to install OpenShift on my personal server. -More to see there... Well, maybe... +This project is my Ansible Playbook to install OpenShift on my Hetzner server. + +## Operating System install + +Go to [access.redhat.com](https://access.redhat.com/downloads/content/69/ver=/rhel---7/7.6/x86_64/product-software) and download the boot ISO image of the latest RHEL 7. + +Upload this ISO image to any large file transfer such as [send.firefox.com](https://send.firefox.com) or [dl.free.fr](http://dl.free.fr/). + +Go to your [Hetzner console](https://robot.your-server.de/server), select your server and book a KVM (**Support** > **Remote Console (KVM)** > **I would like to make an appointment**). +Choose a date, time and duration. For the duration, two hours should be enough. + +In the message box, type something like: + +```raw +Dear Hetzner Support team, + +I would like to install RHEL 7 on my server. Could you please burn the following ISO image on a CD or prepare a USB Key accordingly for me ? + + + +Many thanks for your help. + +Best regards. +``` + +Click **Send Request** + +At the specified timeframe, you should receive a mail containing the login details to connect to your KVM. + +Open the KVM console. This is a Java applet, so make sure there is no security restriction on their execution. + +Reboot your server using the **Ctrl+Ald+Delete** button. + +When the bios shows up, press **** to enter the boot menu and boot from the CD or USB Key, according to the Hetzner instructions. + +[![Hetzner install](https://img.youtube.com/vi/q-brW2_23Lo/0.jpg)](https://www.youtube.com/watch?v=q-brW2_23Lo) + +## Getting a public certificates with Let's encrypt + +On the Ansible control node, install [lego](https://github.com/go-acme/lego): + +```sh +brew install lego +``` + +Get a certificate for the wildcard domain as well as the master hostname: + +```sh +GANDIV5_API_KEY=[REDACTED] lego -d openshift.itix.fr -d app.itix.fr -d '*.app.itix.fr' -a -m your.email@example.test --path $HOME/.lego --dns gandiv5 run +``` + +See [this guide](https://github.com/nmasse-itix/OpenShift-Examples/tree/master/Public-Certificates-with-Letsencrypt) for more details. + +## Preparation + +Register the server on RHN: + +```sh +sudo subscription-manager register --name=openshift.itix.fr +sudo subscription-manager refresh +sudo subscription-manager list --available --matches '*Employee SKU*' +sudo subscription-manager attach --pool=8a85f9833e1404a9013e3cddf95a0599 +``` + +Edit `/etc/sysconfig/network-scripts/ifcfg-eno1` and add: + +```sh +NM_CONTROLLED="yes" +PEERDNS="yes" +DOMAIN="itix.fr" +``` + +## OpenShift Install + +Create a file named `group_vars/OSEv3`, containing your secrets: + +```sh +cat < group_vars/OSEv3 +--- +# Generated on https://access.redhat.com/terms-based-registry/ +oreg_auth_password: your.password.here +oreg_auth_user: '123|user-name' + +# The regular user account you created on your server +ansible_ssh_user: nicolas + +openshift_additional_registry_credentials: +- host: registry.connect.redhat.com + user: rhn-username + password: rhn-password + test_image: sonatype/nexus-repository-manager:latest + +# see: https://github.com/nmasse-itix/OpenShift-Examples/tree/master/Login-to-OpenShift-with-your-Google-Account +openshift_master_identity_providers: +- name: RedHat + login: true + challenge: false + kind: GoogleIdentityProvider + clientID: your.client_id.apps.googleusercontent.com + clientSecret: your.client_secret.here + hostedDomain: redhat.com +EOF +``` + +Create a file named `group_vars/all`, containing your global variables: + +```sh +cat < group_vars/OSEv3 +--- +# The regular user account you created on your server +ansible_ssh_user: nicolas +EOF +``` + +Run the OpenShift install: + +```sh +ansible-playbook -i prod.hosts playbooks/preparation.yml +ansible-playbook -i prod.hosts openshift-ansible/playbooks/deploy_cluster.yml +ansible-playbook -i prod.hosts playbooks/post-install.yml +``` diff --git a/openshift-ansible b/openshift-ansible index 5c64b07..af96f82 160000 --- a/openshift-ansible +++ b/openshift-ansible @@ -1 +1 @@ -Subproject commit 5c64b07726038812ef6633e8b815a75aa30248b2 +Subproject commit af96f82881eb95231e1a9fc7db06d9d031963b1d diff --git a/playbooks/configure-openshift-access-control.yml b/playbooks/configure-openshift-access-control.yml index d7e12d9..e760bb0 100644 --- a/playbooks/configure-openshift-access-control.yml +++ b/playbooks/configure-openshift-access-control.yml @@ -3,17 +3,6 @@ - name: Configure the OpenShift Access Control Layer hosts: itix become: yes - vars: - itix_sso_route: sso.{{ openshift_master_default_subdomain }} tasks: - - name: Remove authenticated users the right to create projects - command: oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth - - - name: Nicolas can create projects - command: oc adm policy add-cluster-role-to-user self-provisioner nicolas.masse@itix.fr - - - name: Give the monitoring rights to nicolas - command: oc adm policy add-role-to-user view nicolas.masse@itix.fr -n openshift-metrics - - roles: - - { name: 'sso', tags: 'sso' } + - name: Nicolas is admin + command: oc adm policy add-cluster-role-to-user cluster-admin nicolas.masse@itix.fr diff --git a/playbooks/deploy-prometheus.yml b/playbooks/deploy-prometheus.yml deleted file mode 100644 index 910c60c..0000000 --- a/playbooks/deploy-prometheus.yml +++ /dev/null @@ -1,60 +0,0 @@ ---- - -- name: Deploy Prometheus on OpenShift - hosts: itix - become: yes - vars: - itix_openshift_docker_images_repo_url: https://github.com/nmasse-itix/OpenShift-Docker-Images.git - itix_prometheus_project: openshift-metrics - itix_grafana_route: grafana.{{ openshift_master_default_subdomain }} - itix_prometheus_route: prometheus.{{ openshift_master_default_subdomain }} - itix_alerts_route: prometheus-alerts.{{ openshift_master_default_subdomain }} - tasks: - - name: Create a temporary directory - tempfile: - state: directory - register: tempfile - - - name: Clone the nmasse-itix/OpenShift-Docker-Images GIT repository - git: - repo: '{{ itix_openshift_docker_images_repo_url }}' - dest: '{{ tempfile.path }}' - version: '{{ itix_openshift_docker_images_repo_tag|default(''master'') }}' - - - name: Process the grafana-prometheus-storage template - command: oc process -f '{{ tempfile.path }}/grafana/grafana-prometheus-storage.yaml' -p 'NAMESPACE={{ itix_prometheus_project }}' - register: oc_process - - - set_fact: - grafana_prometheus_storage: '{{ oc_process.stdout }}' - - - name: Process the grafana-prometheus template - command: oc process -f '{{ tempfile.path }}/grafana/grafana-prometheus.yaml' -p 'NAMESPACE={{ itix_prometheus_project }}' -p 'PROMETHEUS_ROUTE_HOSTNAME={{ itix_prometheus_route }}' -p 'ALERTS_ROUTE_HOSTNAME={{ itix_alerts_route }}' - register: oc_process - - - set_fact: - grafana_prometheus: '{{ oc_process.stdout }}' - - - name: Process the grafana-base template - command: oc process -f '{{ tempfile.path }}/grafana/grafana-base.yaml' -p 'NAMESPACE={{ itix_prometheus_project }}' -p 'GRAFANA_ROUTE_HOSTNAME={{ itix_grafana_route }}' - register: oc_process - - - set_fact: - grafana_base: '{{ oc_process.stdout }}' - - - name: Create the objects - command: oc create -f - - args: - stdin: '{{ item|to_json }}' - register: oc - failed_when: oc.rc > 0 and 'Error from server (AlreadyExists):' not in oc.stderr - changed_when: oc.rc == 0 - with_items: - - '{{ grafana_prometheus_storage }}' - - '{{ grafana_prometheus }}' - - '{{ grafana_base }}' - - - name: Delete the temporary directory - file: - path: '{{ tempfile.path }}' - state: absent diff --git a/playbooks/preparation.yml b/playbooks/preparation.yml index 651c2b5..912fc4c 100644 --- a/playbooks/preparation.yml +++ b/playbooks/preparation.yml @@ -5,6 +5,5 @@ become: yes roles: - { name: 'base', tags: 'base' } - - { name: 'name-resolution', tags: 'name-resolution' } - { name: 'docker', tags: 'docker' } - { name: 'openshift-prereq', tags: 'openshift-prereq' } diff --git a/playbooks/provision-global-templates-and-imagestreams.yml b/playbooks/provision-global-templates-and-imagestreams.yml deleted file mode 100644 index 271bc1e..0000000 --- a/playbooks/provision-global-templates-and-imagestreams.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- - - - name: Provision the default templates and image streams in OpenShift - hosts: itix - become: yes - roles: - - { name: 'openshift-templates', tags: 'openshift-templates' } diff --git a/playbooks/site.yml b/playbooks/site.yml index 5eeab4f..e89d62f 100644 --- a/playbooks/site.yml +++ b/playbooks/site.yml @@ -1,20 +1,17 @@ --- - - include: "switch-to-iptables.yml" - - include: "preparation.yml" # Launch the OpenShift Installer Playbook - - include: "../openshift-ansible/playbooks/byo/openshift-cluster/config.yml" + - include: "../openshift-ansible/playbooks/deploy_cluster.yml" - include: "post-install.yml" # Update the default templates and image streams - - include: "../openshift-ansible/playbooks/byo/openshift-master/additional_config.yml" - - - include: "provision-global-templates-and-imagestreams.yml" + - include: "../openshift-ansible/playbooks/openshift-master/additional_config.yml" - - include: "deploy-prometheus.yml" + # Deploy the let's encrypt certificates + - include: "../openshift-ansible/playbooks/redeploy-certificates.yml" - include: "configure-openshift-access-control.yml" diff --git a/playbooks/switch-to-iptables.yml b/playbooks/switch-to-iptables.yml deleted file mode 100644 index 2f7c0f5..0000000 --- a/playbooks/switch-to-iptables.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- - - - name: Switch to iptables - hosts: itix - become: yes - tasks: - - name: Install iptables-services - yum: name=iptables-services state=installed - tags: rpm - - - name: Disable firewalld - service: name=firewalld state=stopped enabled=no - - - name: Enable iptables - service: name=iptables state=started enabled=yes diff --git a/prod.hosts b/prod.hosts index 0735d3a..626e684 100644 --- a/prod.hosts +++ b/prod.hosts @@ -3,10 +3,7 @@ # [itix:vars] itix_dns_suffix=itix.fr -itix_openshift_version=3.10 -itix_application_templates_repo_tag=ose-v1.4.7 -itix_openshift_origin_repo_tag=release-3.10 -itix_openshift_docker_images_repo_tag=master +itix_openshift_version=3.11 [itix:children] masters @@ -25,7 +22,7 @@ openshift.itix.fr openshift.itix.fr [nodes] -openshift.itix.fr openshift_node_group_name='node-config-all-in-one' openshift_kubelet_name_override='openshift.itix.fr' +openshift.itix.fr openshift_node_group_name='node-config-all-in-one' # # The rest is used only by the OpenShift installer playbook @@ -36,14 +33,6 @@ nodes etcd [OSEv3:vars] -# -# Starting with 3.6, default templates and imagestreams can be left out -# see https://bugzilla.redhat.com/show_bug.cgi?id=1506578 -# -openshift_install_examples=true -openshift_examples_load_quickstarts=false -openshift_examples_load_xpaas=false - # Yes, we need to use sudo ansible_become=yes @@ -53,9 +42,6 @@ deployment_type=openshift-enterprise # Clustering method openshift_master_cluster_method=native -# Bypass Registry Security Checks -openshift_docker_insecure_registries=172.30.0.0/16 - # Make sure NTP is enabled openshift_clock_enabled=true @@ -65,3 +51,25 @@ openshift_additional_projects={} # Enable the "flat network" SDN os_sdn_network_plugin_name='redhat/openshift-ovs-subnet' +# Do not use CRI-O +openshift_use_crio=false + +# Use Firewalld +os_firewall_use_firewalld=yes + +# Let's encrypt Certificates +openshift_master_overwrite_named_certificates=true +openshift_master_named_certificates=[{ "certfile": "{{ lookup('env','HOME') }}/.lego/certificates/openshift.itix.fr.crt", "keyfile": "{{ lookup('env','HOME') }}/.lego/certificates/openshift.itix.fr.key", "cafile": "{{ lookup('env','HOME') }}/.lego/certificates/openshift.itix.fr.issuer.crt", "names": [ "openshift.itix.fr" ] }] +openshift_hosted_router_certificate={ "certfile": "{{ lookup('env','HOME') }}/.lego/certificates/openshift.itix.fr.crt", "keyfile": "{{ lookup('env','HOME') }}/.lego/certificates/openshift.itix.fr.key", "cafile": "{{ lookup('env','HOME') }}/.lego/certificates/openshift.itix.fr.issuer.crt" } +openshift_master_openid_ca_file="{{ lookup('env','HOME') }}/.lego/certificates/openshift.itix.fr.issuer.crt" + +# Since we are using Let's Encrypt, generate a warning about expiration only +# during the last 30 days +openshift_certificate_expiry_warning_days=30 + +# Since we have a public certificate for the master console, we need two different hostnames +openshift_master_cluster_hostname=openshift-internal.itix.fr +openshift_master_cluster_public_hostname=openshift.itix.fr + +# Skip docker images check since it fails no matter what +openshift_disable_check=docker_image_availability diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml index 4e9650f..d1a9452 100644 --- a/roles/base/tasks/main.yml +++ b/roles/base/tasks/main.yml @@ -31,14 +31,14 @@ - openssh-clients tags: rpm - - name: Install Open-VM tools - yum: name=open-vm-tools state=installed - tags: rpm - - name: Fix /etc/environment to include PATH lineinfile: dest=/etc/environment regexp="^PATH=" line="PATH=/bin:/usr/bin:/sbin:/usr/sbin" tags: config + - name: Make sure each machine has an up-to-date /etc/hosts + template: dest=/etc/hosts src=hosts + tags: config + - name: Persist the hostname lineinfile: dest=/etc/sysconfig/network regexp="^HOSTNAME=" line="HOSTNAME={{ inventory_hostname_short }}" tags: @@ -46,7 +46,7 @@ - dns - name: Set the hostname - command: hostnamectl set-hostname {{ inventory_hostname_short }} --static + command: hostnamectl set-hostname {{ inventory_hostname_short }} tags: - config - dns diff --git a/roles/name-resolution/templates/hosts b/roles/base/templates/hosts similarity index 88% rename from roles/name-resolution/templates/hosts rename to roles/base/templates/hosts index 418d718..840cff0 100644 --- a/roles/name-resolution/templates/hosts +++ b/roles/base/templates/hosts @@ -2,8 +2,6 @@ 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 -{% if "name-server" not in groups %} {% for item in groups['all'] %} {{ hostvars[item]['ansible_default_ipv4']['address'] }} {{ hostvars[item]['inventory_hostname']}} {{ hostvars[item]['inventory_hostname_short']}} {% endfor %} -{% endif %} diff --git a/roles/hostpath-provisioner/tasks/main.yml b/roles/hostpath-provisioner/tasks/main.yml index 8d801d4..aa75418 100644 --- a/roles/hostpath-provisioner/tasks/main.yml +++ b/roles/hostpath-provisioner/tasks/main.yml @@ -35,5 +35,5 @@ changed_when: oc.rc == 0 - name: Add the new volume to docker-registry - command: oc volume dc docker-registry -n default --add=true --overwrite=true --type=persistentVolumeClaim --name=registry-storage --claim-name=registry-storage + command: oc set volume dc docker-registry -n default --add=true --overwrite=true --type=persistentVolumeClaim --name=registry-storage --claim-name=registry-storage when: hostpath_provisioner_patch_docker_registry diff --git a/roles/name-resolution/tasks/main.yml b/roles/name-resolution/tasks/main.yml deleted file mode 100644 index ae9d8b3..0000000 --- a/roles/name-resolution/tasks/main.yml +++ /dev/null @@ -1,48 +0,0 @@ ---- - - - name: Check for mandatory variables required by this playbook - fail: - msg: "This playbook requires {{item}} to be set." - when: "item is not defined or item == ''" - with_items: - - itix_dns_suffix - - openshift_master_default_subdomain - - - name: Make sure each machine has an up-to-date /etc/hosts - template: dest=/etc/hosts src=hosts - tags: config - - - name: Install dnsmasq - yum: name=dnsmasq state=installed - when: "'name-server' in group_names" # Only on admin server - tags: rpm - - - name: Set dnsmasq config - template: src=dnsmasq.conf dest=/etc/dnsmasq.conf - when: "'name-server' in group_names" # Only on admin server - tags: config - - - name: Generate an /etc/hosts with all hosts - template: dest=/etc/hosts.dnsmasq src=hosts - when: "'name-server' in group_names" # Only on admin server - tags: config - - - name: Make sure dnsmasq daemon is enabled and started - service: name=dnsmasq state=started enabled=yes - when: "'name-server' in group_names" # Only on admin server - tags: config - - - name: Add an iptable rule to allow DNS queries from other hosts - lineinfile: dest=/etc/sysconfig/iptables line="-A INPUT -p udp --dport 53 -j ACCEPT" insertafter="-A INPUT -i lo -j ACCEPT" - when: "'name-server' in group_names" # Only on admin server - tags: iptables - - - name: Restart iptables - service: name=iptables enabled=yes state=restarted - when: "'name-server' in group_names" # Only on admin server - tags: iptables - - - name: Fix the /etc/resolv.conf of other hosts - template: dest=/etc/resolv.conf src=resolv.conf - when: "'name-server' in groups and 'name-server' not in group_names" # On all other nodes (if a name server has been setup) - tags: config diff --git a/roles/name-resolution/templates/dnsmasq.conf b/roles/name-resolution/templates/dnsmasq.conf deleted file mode 100644 index 44744c1..0000000 --- a/roles/name-resolution/templates/dnsmasq.conf +++ /dev/null @@ -1,28 +0,0 @@ -# {{ ansible_managed }} - -domain-needed -bogus-priv -expand-hosts -log-queries -local-ttl=60 - -# Do not read the default /etc/hosts -no-hosts - -# But read this one... -addn-hosts=/etc/hosts.dnsmasq - -# Default suffix for all machines -domain={{ itix_dns_suffix }} - -# -# Wildcard DNS entries (see lab_route_suffix variable) -# -# note: will generate something like this : -# address=/app.openshift.test/192.168.23.20 -# -{% if 'lb' in groups %} -address=/{{ openshift_master_default_subdomain }}/{{ hostvars[groups['lb'][0]]['ansible_default_ipv4']['address'] }} -{% else %} -address=/{{ openshift_master_default_subdomain }}/{{ hostvars[groups['masters'][0]]['ansible_default_ipv4']['address'] }} -{% endif %} diff --git a/roles/name-resolution/templates/resolv.conf b/roles/name-resolution/templates/resolv.conf deleted file mode 100644 index c0393f8..0000000 --- a/roles/name-resolution/templates/resolv.conf +++ /dev/null @@ -1,5 +0,0 @@ -# {{ ansible_managed }} -search {{ itix_dns_suffix }} -{% for item in groups['name-server'] %} -nameserver {{ hostvars[item]['ansible_default_ipv4']['address'] }} -{% endfor %} diff --git a/roles/openshift-prereq/tasks/main.yml b/roles/openshift-prereq/tasks/main.yml index 559230f..96b4c6f 100644 --- a/roles/openshift-prereq/tasks/main.yml +++ b/roles/openshift-prereq/tasks/main.yml @@ -11,7 +11,7 @@ - rhel-7-server-optional-rpms - rhel-7-server-extras-rpms - rhel-7-server-ose-{{ itix_openshift_version }}-rpms - - rhel-7-fast-datapath-rpms # see https://access.redhat.com/solutions/3008401 + - rhel-7-server-ansible-2.6-rpms tags: rpm - name: Install required RPMs @@ -20,8 +20,12 @@ - git - net-tools - bind-utils + - yum-utils - bridge-utils - bash-completion - NetworkManager - - nfs-utils + - kexec-tools + - sos + - psacct + - skopeo tags: rpm diff --git a/roles/openshift-templates/defaults/main.yml b/roles/openshift-templates/defaults/main.yml deleted file mode 100644 index 44ed823..0000000 --- a/roles/openshift-templates/defaults/main.yml +++ /dev/null @@ -1,3 +0,0 @@ ---- - -itix_application_templates_repo_url: https://github.com/jboss-openshift/application-templates.git diff --git a/roles/openshift-templates/files/sso71-allinone.yaml b/roles/openshift-templates/files/sso71-allinone.yaml deleted file mode 100644 index f767dab..0000000 --- a/roles/openshift-templates/files/sso71-allinone.yaml +++ /dev/null @@ -1,520 +0,0 @@ -kind: Template -apiVersion: v1 -metadata: - annotations: - iconClass: icon-sso - tags: 'sso,keycloak,jboss' - version: 1.4.7 - openshift.io/display-name: 'Single Sign-On 7.1 (development mode)' - openshift.io/provider-display-name: 'Red Hat, Inc.' - description: 'A self-containing Red Hat SSO application with a PostgreSQL database. For more information about using this template, see https://github.com/jboss-openshift/application-templates.' - template.openshift.io/long-description: 'This template defines resources needed to develop Red Hat Single Sign-On 7.1 server based deployment and deployment configuration for PostgreSQL using persistence.' - template.openshift.io/documentation-url: 'https://access.redhat.com/documentation/en/red-hat-single-sign-on/' - template.openshift.io/support-url: 'https://access.redhat.com' - name: sso71-allinone -labels: - template: sso71-allinone - xpaas: 1.4.7 -message: 'A new persistent SSO service (using PostgreSQL) has been created in your project. The admin username/password for accessing the master realm via the SSO console is ${SSO_ADMIN_USERNAME}/${SSO_ADMIN_PASSWORD}. The username/password for accessing the PostgreSQL database "${DB_DATABASE}" is ${DB_USERNAME}/${DB_PASSWORD}.' -parameters: - - displayName: 'Application Name' - description: 'The name for the application.' - name: APPLICATION_NAME - value: sso - required: true - - - displayName: 'Custom http Route Hostname' - description: 'Custom hostname for http service route. Leave blank for default hostname, e.g.: ..' - name: SSO_HOSTNAME - value: "" - required: false - - - displayName: 'The password that protects the Keystores' - description: 'The password for the keystores and certificates (auto-generated)' - name: SSO_KEYSTORE_PASSWORD - generate: expression - from: '[a-zA-Z0-9]{8}' - required: true - - - displayName: 'Database JNDI Name' - description: 'Database JNDI name used by application to resolve the datasource, e.g. java:/jboss/datasources/postgresql' - name: DB_JNDI - value: 'java:jboss/datasources/KeycloakDS' - required: false - - - displayName: 'Database Name' - description: 'Database name' - name: DB_DATABASE - value: sso - required: true - - - displayName: 'Datasource Minimum Pool Size' - description: 'Sets xa-pool/min-pool-size for the configured datasource.' - name: DB_MIN_POOL_SIZE - required: false - - - displayName: 'Datasource Maximum Pool Size' - description: 'Sets xa-pool/max-pool-size for the configured datasource.' - name: DB_MAX_POOL_SIZE - required: false - - - displayName: 'Datasource Transaction Isolation' - description: 'Sets transaction-isolation for the configured datasource.' - name: DB_TX_ISOLATION - required: false - - - displayName: 'PostgreSQL Maximum number of connections' - description: 'The maximum number of client connections allowed. This also sets the maximum number of prepared transactions.' - name: POSTGRESQL_MAX_CONNECTIONS - required: false - - - displayName: 'PostgreSQL Shared Buffers' - description: 'Configures how much memory is dedicated to PostgreSQL for caching data.' - name: POSTGRESQL_SHARED_BUFFERS - required: false - - - displayName: 'Database Username' - description: 'Database user name' - name: DB_USERNAME - value: sso - required: true - - - displayName: 'Database Password' - description: 'Database user password' - name: DB_PASSWORD - from: '[a-zA-Z0-9]{8}' - generate: expression - required: true - - - displayName: 'Database Volume Capacity' - description: 'Size of persistent storage for database volume.' - name: VOLUME_CAPACITY - value: 1Gi - required: true - - - displayName: 'JGroups Cluster Password' - description: 'JGroups cluster password' - name: JGROUPS_CLUSTER_PASSWORD - from: '[a-zA-Z0-9]{8}' - generate: expression - required: true - - - displayName: 'ImageStream Namespace' - description: 'Namespace in which the ImageStreams for Red Hat Middleware images are installed. These ImageStreams are normally installed in the openshift namespace. You should only need to modify this if you''ve installed the ImageStreams in a different namespace/project.' - name: IMAGE_STREAM_NAMESPACE - value: openshift - required: true - - - displayName: 'SSO Admin Username' - description: 'SSO Server admin username' - name: SSO_ADMIN_USERNAME - value: 'admin' - required: true - - - displayName: 'SSO Admin Password' - description: 'SSO Server admin password' - name: SSO_ADMIN_PASSWORD - from: '[a-zA-Z0-9]{8}' - generate: expression - required: true - - - displayName: 'SSO Realm' - description: 'Realm to be created in the SSO server (e.g. demo).' - name: SSO_REALM - value: "" - required: false - - - displayName: 'SSO Service Username' - description: 'The username used to access the SSO service. This is used by clients to create the appliction client(s) within the specified SSO realm.' - name: SSO_SERVICE_USERNAME - value: "" - required: false - - - displayName: 'SSO Service Password' - description: 'The password for the SSO service user.' - name: SSO_SERVICE_PASSWORD - value: "" - required: false - - - displayName: 'PostgreSQL Image Stream Tag' - description: 'The tag to use for the "postgresql" image stream. Typically, this aligns with the major.minor version of PostgreSQL.' - name: POSTGRESQL_IMAGE_STREAM_TAG - value: '9.5' - required: true - - - description: 'Container memory limit' - name: MEMORY_LIMIT - value: 1Gi - required: false - -objects: -## -## Route and Services -## - - kind: Service - apiVersion: v1 - spec: - ports: - - name: http - port: 8080 - targetPort: 8080 - - name: https - port: 8443 - targetPort: 8443 - selector: - deploymentConfig: '${APPLICATION_NAME}' - metadata: - name: '${APPLICATION_NAME}' - labels: - application: '${APPLICATION_NAME}' - annotations: - description: 'The web server''s http/https ports.' - service.alpha.openshift.io/dependencies: '[{"name": "${APPLICATION_NAME}-postgresql", "kind": "Service"}]' - service.alpha.openshift.io/serving-cert-secret-name: '${APPLICATION_NAME}-https-secret' - - - kind: Service - apiVersion: v1 - spec: - ports: - - name: postgresql - port: 5432 - targetPort: 5432 - selector: - deploymentConfig: '${APPLICATION_NAME}-postgresql' - metadata: - name: '${APPLICATION_NAME}-postgresql' - labels: - application: '${APPLICATION_NAME}' - annotations: - description: 'The database server''s port.' - - - kind: Route - apiVersion: v1 - id: '${APPLICATION_NAME}' - metadata: - name: '${APPLICATION_NAME}' - labels: - application: '${APPLICATION_NAME}' - annotations: - description: 'Route for application''s https service.' - spec: - host: '${SSO_HOSTNAME}' - port: - targetPort: https - to: - kind: Service - name: '${APPLICATION_NAME}' - port: - tls: - termination: reencrypt - insecureEdgeTerminationPolicy: Redirect - -## -## Persistence -## - - apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - name: '${APPLICATION_NAME}-database' - labels: - application: '${APPLICATION_NAME}' - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: '${VOLUME_CAPACITY}' - -## -## Service Accounts, Secrets and Role Bindings -## - - apiVersion: v1 - kind: ServiceAccount - metadata: - name: '${APPLICATION_NAME}' - labels: - application: '${APPLICATION_NAME}' - secrets: - - name: '${APPLICATION_NAME}-https-secret' - - - apiVersion: v1 - kind: RoleBinding - metadata: - name: '${APPLICATION_NAME}-can-read-project' - labels: - application: '${APPLICATION_NAME}' - roleRef: - name: view - subjects: - - kind: ServiceAccount - name: '${APPLICATION_NAME}' - -## -## Deploy RH-SSO -## - - kind: DeploymentConfig - apiVersion: v1 - metadata: - name: '${APPLICATION_NAME}' - labels: - application: '${APPLICATION_NAME}' - spec: - strategy: - type: Recreate - recreateParams: - pre: - failurePolicy: Abort - execNewPod: - containerName: '${APPLICATION_NAME}' - command: - - /usr/bin/keytool - - -genseckey - - -alias - - jgroups - - -keystore - - /etc/eap-secret-volume/jgroups.jceks - - -keyalg - - Blowfish - - -keysize - - "56" - - -storetype - - JCEKS - - -keypass - - '${SSO_KEYSTORE_PASSWORD}' - - -storepass - - '${SSO_KEYSTORE_PASSWORD}' - volumes: - - '${APPLICATION_NAME}-eap-secrets' - triggers: - - type: ImageChange - imageChangeParams: - automatic: true - containerNames: - - '${APPLICATION_NAME}' - from: - kind: ImageStreamTag - namespace: '${IMAGE_STREAM_NAMESPACE}' - name: 'redhat-sso71-openshift:1.2' - - type: ConfigChange - replicas: 1 - selector: - deploymentConfig: '${APPLICATION_NAME}' - template: - metadata: - name: '${APPLICATION_NAME}' - labels: - deploymentConfig: '${APPLICATION_NAME}' - application: '${APPLICATION_NAME}' - spec: - serviceAccountName: '${APPLICATION_NAME}' - terminationGracePeriodSeconds: 75 - initContainers: - - name: openshift-ca-pemtokeystore - image: syndesis/pemtokeystore:v0.2.1 - imagePullPolicy: IfNotPresent - args: - - -keystore - - /etc/eap-secret-volume/keystore.jks - - -ca-file - - /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - - -ca-file - - /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt - - -cert-file - - tls=/etc/openshift-secret-volume/tls.crt - - -key-file - - tls=/etc/openshift-secret-volume/tls.key - - -keystore-password - - '${SSO_KEYSTORE_PASSWORD}' - volumeMounts: - - name: "${APPLICATION_NAME}-openshift-secret" - mountPath: "/etc/openshift-secret-volume" - - name: '${APPLICATION_NAME}-eap-secrets' - mountPath: "/etc/eap-secret-volume" - resources: - limits: - memory: 255Mi - requests: - memory: 20Mi - containers: - - name: '${APPLICATION_NAME}' - image: ' ' - imagePullPolicy: Always - resources: - limits: - memory: '${MEMORY_LIMIT}' - volumeMounts: - - name: '${APPLICATION_NAME}-eap-secrets' - mountPath: /etc/eap-secret-volume - # Workaround for a bug on overlayfs2 - # See https://github.com/openshift/openshift-ansible/issues/2823 - - name: '${APPLICATION_NAME}-eap-configuration' - mountPath: /opt/eap/standalone/configuration/standalone_xml_history/ - lifecycle: - preStop: - exec: - command: - - /opt/eap/bin/jboss-cli.sh - - '-c' - - ':shutdown(timeout=60)' - livenessProbe: - exec: - command: - - /bin/bash - - '-c' - - /opt/eap/bin/livenessProbe.sh - initialDelaySeconds: 60 - readinessProbe: - exec: - command: - - /bin/bash - - '-c' - - /opt/eap/bin/readinessProbe.sh - ports: - - name: jolokia - containerPort: 8778 - protocol: TCP - - name: http - containerPort: 8080 - protocol: TCP - - name: https - containerPort: 8443 - protocol: TCP - - name: ping - containerPort: 8888 - protocol: TCP - env: - - name: DB_SERVICE_PREFIX_MAPPING - value: '${APPLICATION_NAME}-postgresql=DB' - - name: DB_JNDI - value: '${DB_JNDI}' - - name: DB_USERNAME - value: '${DB_USERNAME}' - - name: DB_PASSWORD - value: '${DB_PASSWORD}' - - name: DB_DATABASE - value: '${DB_DATABASE}' - - name: TX_DATABASE_PREFIX_MAPPING - value: '${APPLICATION_NAME}-postgresql=DB' - - name: DB_MIN_POOL_SIZE - value: '${DB_MIN_POOL_SIZE}' - - name: DB_MAX_POOL_SIZE - value: '${DB_MAX_POOL_SIZE}' - - name: DB_TX_ISOLATION - value: '${DB_TX_ISOLATION}' - - name: OPENSHIFT_KUBE_PING_LABELS - value: 'application=${APPLICATION_NAME}' - - name: OPENSHIFT_KUBE_PING_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: HTTPS_KEYSTORE_DIR - value: /etc/eap-secret-volume - - name: HTTPS_KEYSTORE - value: 'keystore.jks' - - name: HTTPS_KEYSTORE_TYPE - value: 'JKS' - - name: HTTPS_NAME - value: 'tls' - - name: HTTPS_PASSWORD - value: '${SSO_KEYSTORE_PASSWORD}' - - name: JGROUPS_ENCRYPT_SECRET - value: '${SSO_KEYSTORE_PASSWORD}' - - name: JGROUPS_ENCRYPT_KEYSTORE_DIR - value: /etc/eap-secret-volume - - name: JGROUPS_ENCRYPT_KEYSTORE - value: jgroups.jceks - - name: JGROUPS_ENCRYPT_NAME - value: jgroups - - name: JGROUPS_ENCRYPT_KEYSTORE - value: '${SSO_KEYSTORE_PASSWORD}' - - name: JGROUPS_CLUSTER_PASSWORD - value: '${JGROUPS_CLUSTER_PASSWORD}' - - name: SSO_ADMIN_USERNAME - value: '${SSO_ADMIN_USERNAME}' - - name: SSO_ADMIN_PASSWORD - value: '${SSO_ADMIN_PASSWORD}' - - name: SSO_REALM - value: '${SSO_REALM}' - - name: SSO_SERVICE_USERNAME - value: '${SSO_SERVICE_USERNAME}' - - name: SSO_SERVICE_PASSWORD - value: '${SSO_SERVICE_PASSWORD}' - - name: SSO_TRUSTSTORE - value: 'keystore.jks' - - name: SSO_TRUSTSTORE_DIR - value: /etc/eap-secret-volume - - name: SSO_TRUSTSTORE_PASSWORD - value: '${SSO_KEYSTORE_PASSWORD}' - volumes: - - name: '${APPLICATION_NAME}-openshift-secret' - secret: - secretName: '${APPLICATION_NAME}-https-secret' - - name: '${APPLICATION_NAME}-eap-secrets' - emptyDir: {} - # Workaround for a bug on overlayfs2 - # See https://github.com/openshift/openshift-ansible/issues/2823 - - name: '${APPLICATION_NAME}-eap-configuration' - emptyDir: {} - -## -## Deploy PostgreSQL -## - - kind: DeploymentConfig - apiVersion: v1 - metadata: - name: '${APPLICATION_NAME}-postgresql' - labels: - application: '${APPLICATION_NAME}' - spec: - strategy: - type: Recreate - triggers: - - type: ImageChange - imageChangeParams: - automatic: true - containerNames: - - '${APPLICATION_NAME}-postgresql' - from: - kind: ImageStreamTag - namespace: '${IMAGE_STREAM_NAMESPACE}' - name: 'postgresql:${POSTGRESQL_IMAGE_STREAM_TAG}' - - type: ConfigChange - replicas: 1 - selector: - deploymentConfig: '${APPLICATION_NAME}-postgresql' - template: - metadata: - name: '${APPLICATION_NAME}-postgresql' - labels: - deploymentConfig: '${APPLICATION_NAME}-postgresql' - application: '${APPLICATION_NAME}' - spec: - terminationGracePeriodSeconds: 60 - containers: - - name: '${APPLICATION_NAME}-postgresql' - image: postgresql - imagePullPolicy: Always - ports: - - name: postgresql - containerPort: 5432 - protocol: TCP - volumeMounts: - - mountPath: /var/lib/pgsql/data - name: '${APPLICATION_NAME}-postgresql-pvol' - env: - - name: POSTGRESQL_USER - value: '${DB_USERNAME}' - - name: POSTGRESQL_PASSWORD - value: '${DB_PASSWORD}' - - name: POSTGRESQL_DATABASE - value: '${DB_DATABASE}' - - name: POSTGRESQL_MAX_CONNECTIONS - value: '${POSTGRESQL_MAX_CONNECTIONS}' - - name: POSTGRESQL_MAX_PREPARED_TRANSACTIONS - value: '${POSTGRESQL_MAX_CONNECTIONS}' - - name: POSTGRESQL_SHARED_BUFFERS - value: '${POSTGRESQL_SHARED_BUFFERS}' - volumes: - - name: '${APPLICATION_NAME}-postgresql-pvol' - persistentVolumeClaim: - claimName: '${APPLICATION_NAME}-database' diff --git a/roles/openshift-templates/tasks/main.yml b/roles/openshift-templates/tasks/main.yml deleted file mode 100644 index 32cc34f..0000000 --- a/roles/openshift-templates/tasks/main.yml +++ /dev/null @@ -1,105 +0,0 @@ ---- - -- name: Create a temporary directory - tempfile: - state: directory - register: tempfile - -- name: Copy the Custom SSO template - copy: - src: 'sso71-allinone.yaml' - dest: '{{ tempfile.path }}/sso71-allinone.yaml' - -- name: Clone the jboss-openshift/application-templates GIT repository - git: - repo: '{{ itix_application_templates_repo_url }}' - dest: '{{ tempfile.path }}/application-templates' - version: '{{ itix_application_templates_repo_tag|default(''master'') }}' - -- name: Get an archive of the OpenShift GIT repository - get_url: - url: 'https://github.com/openshift/origin/archive/{{ itix_openshift_origin_repo_tag|default(''master'') }}.tar.gz' - dest: '{{ tempfile.path }}/openshift-origin.tar.gz' - -- name: Get the Minio template - get_url: - url: 'https://raw.githubusercontent.com/nmasse-itix/OpenShift-Docker-Images/master/minio/minio.yaml' - dest: '{{ tempfile.path }}/minio.yaml' - -- name: Extract the OpenShift GIT archive - unarchive: - remote_src: yes - src: '{{ tempfile.path }}/openshift-origin.tar.gz' - dest: '{{ tempfile.path }}' - -- name: Symlink the OpenShift GIT repo - file: - src: '{{ tempfile.path }}/origin-{{ itix_openshift_origin_repo_tag|default(''master'') }}' - dest: '{{ tempfile.path }}/openshift-origin' - state: link - -- set_fact: - objects_to_import: - - '{{ tempfile.path }}/application-templates/jboss-image-streams.json' - - '{{ tempfile.path }}/application-templates/openjdk/openjdk18-web-basic-s2i.json' - - '{{ tempfile.path }}/openshift-origin/examples/jenkins/jenkins-persistent-template.json' - - '{{ tempfile.path }}/sso71-allinone.yaml' - - '{{ tempfile.path }}/minio.yaml' - -- name: Install new ImageStreams/Templates in the "openshift" namespace - command: oc create -n openshift -f "{{ item }}" - register: oc - failed_when: oc.rc > 0 and 'Error from server (AlreadyExists):' not in oc.stderr - changed_when: oc.rc == 0 - with_items: '{{ objects_to_import }}' - -- name: Update existing ImageStreams/Templates in the "openshift" namespace - command: oc replace -n openshift -f "{{ item }}" - register: oc - failed_when: oc.rc > 0 and 'Error from server (NotFound):' not in oc.stderr - changed_when: oc.rc == 0 - with_items: '{{ objects_to_import }}' - -- name: Get a list of currently installed templates - command: oc get templates -n openshift -o name - register: oc_get_templates - -- name: Delete ephemeral templates - command: oc delete {{ item }} -n openshift - when: item|regex_search('-ephemeral$') - with_items: '{{ oc_get_templates.stdout_lines }}' - -- name: Get a list of currently installed image streams - command: oc get is -n openshift -o name - register: oc_get_is - -- name: Delete unwanted image streams - command: oc delete {{ item }} -n openshift - when: item|regex_search('(datagrid|datavirt|decisionserver|eap64|processserver|tomcat7)') - with_items: '{{ oc_get_is.stdout_lines }}' - -- name: Get a list of the remaining image streams - command: oc get is -n openshift -o name - register: oc_get_is - -- name: Update each image stream - command: oc import-image {{ item }} --confirm --scheduled --all -n openshift - with_items: '{{ oc_get_is.stdout_lines }}' - -- name: Import additional Red Hat image streams (initial import) - command: oc import-image -n openshift {{ item.key }} --from {{ item.value }} --confirm --scheduled - with_dict: - rhel7-atomic: registry.access.redhat.com/rhel7-atomic:latest - rhel7: registry.access.redhat.com/rhel7:latest - when: '(''imagestreams/'' ~ item.key) not in oc_get_is.stdout_lines' - -- name: Import additional Red Hat image streams (additional tags) - command: oc tag -n openshift {{ item.value }} {{ item.key }} --scheduled - with_dict: - 'rhel7-atomic:7.4': registry.access.redhat.com/rhel7-atomic:7.4 - 'rhel7:7.4': registry.access.redhat.com/rhel7:7.4 - -- name: Delete the temporary directory - file: - path: '{{ tempfile.path }}' - state: absent diff --git a/roles/sso/defaults/main.yml b/roles/sso/defaults/main.yml deleted file mode 100644 index 587d92d..0000000 --- a/roles/sso/defaults/main.yml +++ /dev/null @@ -1,8 +0,0 @@ ---- - -itix_sso_template: sso71-allinone -itix_sso_project: sso -itix_sso_realm: itix -itix_sso_application_name: sso -itix_sso_retries: 30 -itix_sso_delay: 5 diff --git a/roles/sso/tasks/main.yml b/roles/sso/tasks/main.yml deleted file mode 100644 index 4b4b9ab..0000000 --- a/roles/sso/tasks/main.yml +++ /dev/null @@ -1,64 +0,0 @@ ---- - -- name: Get a list of existing projects - command: oc get projects -o name - register: oc_get_projects - changed_when: false - -- name: Create a new project for SSO - command: oc new-project "{{ itix_sso_project }}" - when: '"projects/" ~ itix_sso_project not in oc_get_projects.stdout_lines' - -- name: Query existing deploymentconfigs - command: oc get dc -n "{{ itix_sso_project }}" -o name -l "application={{ itix_sso_application_name }}" - register: oc_get_dc - changed_when: false - -- name: Deploy app if needed - set_fact: - deploy_needed: "{{ 'deploymentconfigs/' ~ itix_sso_application_name not in oc_get_dc.stdout_lines }}" - -- name: Process the OpenShift Template and create the OpenShift objects - command: oc new-app -n {{ itix_sso_project }} {{ itix_sso_template }} -p "SSO_HOSTNAME={{ itix_sso_hostname }}" -p "APPLICATION_NAME={{ itix_sso_application_name }}" - when: deploy_needed - -- name: Wait for OpenShift to create all objects - pause: - seconds: '{{ itix_sso_delay }}' - when: deploy_needed - -- include: common/wait_for.yml - static: no - vars: - pod_to_wait: - - sso - - sso-postgresql - delay: "{{ itix_sso_delay }}" - retries: "{{ itix_sso_retries }}" - project: "{{ itix_sso_project }}" - tags: status - -- name: Get Admin Username - command: oc get dc {{ itix_sso_application_name }} -n "{{ itix_sso_project }}" -o 'jsonpath={.spec.template.spec.containers[0].env[?(@.name=="SSO_ADMIN_USERNAME")].value}' - register: username - changed_when: false - tags: status - -- name: Get Admin Password - command: oc get dc {{ itix_sso_application_name }} -n "{{ itix_sso_project }}" -o 'jsonpath={.spec.template.spec.containers[0].env[?(@.name=="SSO_ADMIN_PASSWORD")].value}' - register: password - changed_when: false - tags: status - -- name: Get Route URL - command: oc get route {{ itix_sso_application_name }} -n "{{ itix_sso_project }}" -o 'jsonpath={.spec.host}' - register: route - changed_when: false - tags: status - -- set_fact: - sso_route_name: '{{ route.stdout }}' - -- name: SSO is ready ! - debug: msg="Login on https://{{ sso_route_name }}/auth/admin with username = '{{ username.stdout }}' and password = '{{ password.stdout }}'" - tags: status