OpenShift Origin Implementation at ITIX (mostly Ansible Playbooks)

Nicolas Massé 6a0e880bf9 add doc		7 years ago
openshift-ansible@af96f82881	server re-install	7 years ago
playbooks	server re-install	7 years ago
roles	server re-install	7 years ago
.gitignore	initial commit	9 years ago
.gitmodules	see #3: update openshift-ansible to release-3.11	7 years ago
LICENSE	initial commit	9 years ago
README.md	add doc	7 years ago
ansible.cfg	roles_path in ansible.cfg	9 years ago
bootstrap.yml	useless vars	9 years ago
prod.hosts	Inject the MAVEN_MIRROR_URL in all builds	7 years ago
test.hosts	fix registry placement	8 years ago

README.md

OpenShift-Lab

This project is my Ansible Playbook to install OpenShift on my Hetzner server.

Operating System install

Go to access.redhat.com and download the boot ISO image of the latest RHEL 7.

Upload this ISO image to any large file transfer such as send.firefox.com or dl.free.fr.

Go to your Hetzner console, select your server and book a KVM (Support > Remote Console (KVM) > I would like to make an appointment). Choose a date, time and duration. For the duration, two hours should be enough.

In the message box, type something like:

Dear Hetzner Support team,

I would like to install RHEL 7 on my server. Could you please burn the following ISO image on a CD or prepare a USB Key accordingly for me ?

<Put the link to the ISO image here>

Many thanks for your help.

Best regards.

Click Send Request

At the specified timeframe, you should receive a mail containing the login details to connect to your KVM.

Open the KVM console. This is a Java applet, so make sure there is no security restriction on their execution.

Reboot your server using the Ctrl+Ald+Delete button.

When the bios shows up, press to enter the boot menu and boot from the CD or USB Key, according to the Hetzner instructions.

Getting a public certificates with Let's encrypt

On the Ansible control node, install lego:

brew install lego

Get a certificate for the wildcard domain as well as the master hostname:

GANDIV5_API_KEY=[REDACTED] lego -d openshift.itix.fr -d app.itix.fr -d '*.app.itix.fr' -a -m your.email@example.test --path $HOME/.lego --dns gandiv5 run

See this guide for more details.

Preparation

sudo subscription-manager register --name=openshift.itix.fr
sudo subscription-manager refresh
sudo subscription-manager list --available --matches '*Employee SKU*'
sudo subscription-manager attach --pool=8a85f9833e1404a9013e3cddf95a0599

Edit /etc/sysconfig/network-scripts/ifcfg-eno1 and add:

NM_CONTROLLED="yes"
PEERDNS="yes"
DOMAIN="itix.fr"

OpenShift Install

Create a file named group_vars/OSEv3, containing your secrets:

cat <<EOF > group_vars/OSEv3
---
# Generated on https://access.redhat.com/terms-based-registry/
oreg_auth_password: your.password.here
oreg_auth_user: '123|user-name'

openshift_additional_registry_credentials:
- host: registry.connect.redhat.com
  user: rhn-username
  password: rhn-password
  test_image: sonatype/nexus-repository-manager:latest

# see: https://github.com/nmasse-itix/OpenShift-Examples/tree/master/Login-to-OpenShift-with-your-Google-Account
openshift_master_identity_providers:
- name: RedHat
  login: true
  challenge: false
  kind: GoogleIdentityProvider
  clientID: your.client_id.apps.googleusercontent.com
  clientSecret: your.client_secret.here
  hostedDomain: redhat.com
EOF

Create a file named group_vars/all, containing your global variables:

cat <<EOF > group_vars/OSEv3
---
# The regular user account you created on your server
ansible_ssh_user: nicolas
EOF

Run the OpenShift install:

ansible-playbook -i prod.hosts playbooks/preparation.yml
ansible-playbook -i prod.hosts openshift-ansible/playbooks/deploy_cluster.yml
ansible-playbook -i prod.hosts playbooks/post-install.yml

Deploy the Software Factory

Red Hat SSO

oc new-project sso --display-name="Single Sign-On"
for resource in sso73-image-stream.json \
  sso73-x509-https.json \
  sso73-x509-postgresql-persistent.json
do
  oc replace -n openshift --force -f \
  https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso73-dev/templates/${resource}
done
oc -n openshift import-image redhat-sso73-openshift:1.0
oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default

oc new-app --template=sso73-x509-postgresql-persistent --name=sso -p SSO_HOSTNAME=sso.app.itix.fr -p DB_USERNAME=sso -p SSO_ADMIN_USERNAME=admin -p DB_DATABASE=sso
oc delete route sso
oc create -f - <<EOF
  apiVersion: v1
  id: sso-https
  kind: Route
  metadata:
    annotations:
      description: Route for application's https service.
    labels:
      application: sso
    name: sso
  spec:
    host: sso.app.itix.fr
    tls:
      termination: reencrypt
    to:
      name: sso
EOF

Jenkins

oc project factory --display-name="Software Factory"
oc new-app --template=jenkins-persistent --name=jenkins -p MEMORY_LIMIT=2Gi
oc set env dc/jenkins JENKINS_OPTS=--sessionTimeout=86400

oc delete route jenkins
oc create -f - <<EOF
  apiVersion: v1
  kind: Route
  metadata:
    annotations:
      haproxy.router.openshift.io/timeout: 4m
      template.openshift.io/expose-uri: http://{.spec.host}{.spec.path}
    name: jenkins
  spec:
    host: jenkins.app.itix.fr
    tls:
      insecureEdgeTerminationPolicy: Redirect
      termination: edge
    to:
      kind: Service
      name: jenkins
EOF

oc process -f https://raw.githubusercontent.com/microcks/microcks-jenkins-plugin/master/openshift-jenkins-master-bc.yml | oc create -f -
oc set triggers dc/jenkins --remove --from-image=openshift/jenkins:2
oc set triggers dc/jenkins --from-image=microcks-jenkins-master:latest -c jenkins

Microcks

oc project factory
git clone https://github.com/microcks/microcks-ansible-operator.git
cd microcks-ansible-operator/
oc create -f deploy/crds/microcks_v1alpha1_microcksinstall_crd.yaml
oc create -f deploy/service_account.yaml
oc create -f deploy/role.yaml
oc create -f deploy/role_binding.yaml
oc create -f deploy/operator.yaml

oc replace -n factory -f - <<EOF
apiVersion: microcks.github.io/v1alpha1
kind: MicrocksInstall
metadata:
  name: microcks
spec:
  name: microcks
  version: "0.7.1"
  microcks:
    replicas: 1
    url: microcks.app.itix.fr
  postman:
    replicas: 1
  keycloak:
    install: false
    url: sso.app.itix.fr
    replicas: 1
  mongodb:
    install: true
    persistent: true
    volumeSize: 2Gi
    replicas: 1
EOF

oc create -f - <<EOF
kind: OAuthClient
apiVersion: v1
metadata:
  name: microcks
respondWithChallenges: false
secret: $(uuidgen)
redirectURIs:
- https://sso.app.itix.fr/auth/realms/microcks/broker/openshift-v3/endpoint
EOF
oc get oauthclient microcks -o yaml

Nexus

oc project factory
oc create secret docker-registry partner-registry --docker-username=your.rhn.login --docker-password=your.rhn.password --docker-email=your.email@example.test --docker-server=registry.connect.redhat.com
oc secrets link default partner-registry --for=pull
oc import-image nexus-repository-manager:latest --confirm --scheduled --from=registry.connect.redhat.com/sonatype/nexus-repository-manager:latest

oc new-app nexus-repository-manager --name=nexus
oc patch dc/nexus -p '{"spec":{"strategy":{"type":"Recreate"}}}'
oc expose svc/nexus --hostname=nexus.app.itix.fr
oc patch route/nexus -p '{"spec":{"tls":{"insecureEdgeTerminationPolicy":"Redirect","termination":"edge"}}}'

oc set probe dc/nexus --liveness --failure-threshold 3 --initial-delay-seconds 30 --open-tcp=8081
oc set probe dc/nexus --readiness --failure-threshold 3 --initial-delay-seconds 30 --get-url=http://:8081/service/rest/repository/browse/maven-public/

oc set volumes dc/nexus --add --name 'nexus-volume-1' --type 'pvc' --mount-path '/nexus-data/' --claim-name 'nexus' --claim-size '1Gi' --overwrite

curl -o /tmp/nexus-functions -s https://raw.githubusercontent.com/OpenShiftDemos/nexus/master/scripts/nexus-functions
source /tmp/nexus-functions
add_nexus3_redhat_repos admin admin123 https://nexus.app.itix.fr