diff options
| author | Adam Miller <admiller@redhat.com> | 2016-04-12 19:51:10 +0000 |
|---|---|---|
| committer | Adam Miller <admiller@redhat.com> | 2016-04-12 19:51:10 +0000 |
| commit | d6dd38990e9deba04940169ffcc6a0672ce6ee30 (patch) | |
| tree | cb496e18cefe2049d879491a3641809bc4018093 | |
| parent | b7d4fb6f47734c1e58d23d3e65ffdb5c7c5efcd1 (diff) | |
| download | ansible-d6dd38990e9deba04940169ffcc6a0672ce6ee30.tar.gz ansible-d6dd38990e9deba04940169ffcc6a0672ce6ee30.tar.xz ansible-d6dd38990e9deba04940169ffcc6a0672ce6ee30.zip | |
playbooks/groups/osbs-master.yml: deploy to handle stg and prod
Signed-off-by: Adam Miller <admiller@redhat.com>
| -rw-r--r-- | inventory/group_vars/osbs-stg | 8 | ||||
| -rw-r--r-- | playbooks/groups/osbs-master.yml | 297 |
2 files changed, 303 insertions, 2 deletions
diff --git a/inventory/group_vars/osbs-stg b/inventory/group_vars/osbs-stg index 1b6424de3..3f9844040 100644 --- a/inventory/group_vars/osbs-stg +++ b/inventory/group_vars/osbs-stg @@ -1,10 +1,14 @@ --- -# Define resources for this group of hosts here. +# Define resources for this group of hosts here. lvm_size: 60000 mem_size: 8192 num_cpus: 2 -tcp_ports: [ 80, 443 ] +tcp_ports: [ 80, 443, 8443] fas_client_groups: sysadmin-releng,fi-apprentice sudoers: "{{ private }}/files/sudo/00releng-sudoers" + +osbs_api_cert: "osbs.stg.fedoraproject.org.crt" +osbs_api_key: "osbs.stg.fedoraproject.org.key" + diff --git a/playbooks/groups/osbs-master.yml b/playbooks/groups/osbs-master.yml index 79b90f8e7..91fd3dfee 100644 --- a/playbooks/groups/osbs-master.yml +++ b/playbooks/groups/osbs-master.yml @@ -28,3 +28,300 @@ handlers: - include: "{{ handlers }}/restart_services.yml" + +- name: pre-install osbs tasks + hosts: osbs:osbs-stg + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - /srv/private/ansible/vars.yml + - /srv/private/ansible/files/openstack/passwords.yml + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + tasks: + - name: place htpasswd file + copy: + src: "{{private}}/files/httpd/osbs.htpasswd" + dest: /etc/origin/htpasswd + + - name: create cert dir for openshift public facing REST API SSL + file: + path: "/etc/origin/master/named_certificates" + state: "directory" + + - name: install cert for openshift public facing REST API SSL + copy: + src: "{{private}}/files/osbs/osbs-stg.certs/{{osbs_api_cert}}" + dest: "/etc/origin/master/named_certificates/{{osbs_api_cert}}" + + - name: install key for openshift public facing REST API SSL + copy: + src: "{{private}}/files/osbs/osbs-stg.certs/{{osbs_api_key}}" + dest: "/etc/origin/master/named_certificates/{{osbs_api_key}}" + +- name: setup osbs + hosts: osbs:osbs-stg + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - /srv/private/ansible/vars.yml + - /srv/private/ansible/files/openstack/passwords.yml + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + + roles: + - osbs-atomic-reactor + - osbs-common + - osbs-install-openshift + - { + role: osbs-master, + osbs_master_export_port: true, + osbs_manage_firewalld: true, + osbs_proxy_cert_file: '/etc/origin/proxy_selfsigned.crt', + osbs_proxy_key_file: '/etc/origin/proxy_selfsigned.key', + osbs_proxy_certkey_file: '/etc/origin/proxy_certkey.crt', + osbs_proxy_ca_file: '/etc/origin/proxy_selfsigned.crt', + osbs_readonly_users: [], + osbs_readonly_groups: [], + osbs_readwrite_users: [ "{{ osbs_koji_stg_username }}" ], + osbs_readwrite_groups: [], + osbs_admin_users: [], + osbs_admin_groups: [], + osbs_master_max_pods: 3, + osbs_update_packages: false, + osbs_image_gc_high_threshold: 90, + osbs_image_gc_low_threshold: 80, + osbs_identity_provider: "htpasswd_provider", + osbs_identity_htpasswd: { + name: htpasswd_provider, + challenge: true, + login: true, + provider_file: "/etc/origin/htpasswd" + }, + osbs_named_certificates: { + enabled: true, + cert_file: "named_certificates/osbs.stg.fedoraproject.org.crt", + key_file: "named_certificates/osbs.stg.fedoraproject.org.key", + names: [ "osbs.stg.fedoraproject.org" ], + }, + osbs_public_api_url: "osbs.stg.fedoraproject.org", + when: env == "staging" + } + - { + role: osbs-master, + osbs_master_export_port: true, + osbs_manage_firewalld: true, + osbs_proxy_cert_file: '/etc/origin/proxy_selfsigned.crt', + osbs_proxy_key_file: '/etc/origin/proxy_selfsigned.key', + osbs_proxy_certkey_file: '/etc/origin/proxy_certkey.crt', + osbs_proxy_ca_file: '/etc/origin/proxy_selfsigned.crt', + osbs_readonly_users: [], + osbs_readonly_groups: [], + osbs_readwrite_users: [ "{{ osbs_koji_stg_username }}" ], + osbs_readwrite_groups: [], + osbs_admin_users: [], + osbs_admin_groups: [], + osbs_master_max_pods: 3, + osbs_update_packages: false, + osbs_image_gc_high_threshold: 90, + osbs_image_gc_low_threshold: 80, + osbs_identity_provider: "htpasswd_provider", + osbs_identity_htpasswd: { + name: htpasswd_provider, + challenge: true, + login: true, + provider_file: "/etc/origin/htpasswd" + }, + osbs_named_certificates: { + enabled: true, + cert_file: "named_certificates/osbs.fedoraproject.org.crt", + key_file: "named_certificates/osbs.fedoraproject.org.key", + names: [ "osbs.stg.fedoraproject.org" ], + }, + osbs_public_api_url: "osbs.fedoraproject.org", + when: env == "production" + } + + - { + role: osbs-client, + general: { + verbose: 0, + build_json_dir: '/usr/share/osbs/', + openshift_required_version: 1.1.0, + }, + default: { + username: "{{ osbs_koji_stg_username }}", + password: "{{ osbs_koji_stg_password }}", + koji_certs_secret: "koji", + openshift_url: 'https://osbs.stg.fedoraproject.org:8443/', + registry_uri: 'https://registry.stg.fedoraproject.org/v2', + source_registry_uri: 'https://osbs.stg.fedoraproject.org/v2', + build_host: 'osbs.stg.fedoraproject.org', + koji_root: 'http://koji.fedoraproject.org/koji', + koji_hub: 'http://koji.fedoraproject.org/kojihub', + sources_command: 'fedpkg sources', + build_type: 'prod', + authoritative_registry: 'registry.example.com', + vendor: 'Fedora Project', + verify_ssl: false, + use_auth: true, + builder_use_auth: true, + distribution_scope: 'private', + registry_api_versions: 'v2', + builder_openshift_url: 'https://172.17.0.1:8443/' + }, + when: env == "staging" + } + - { + role: osbs-client, + general: { + verbose: 0, + build_json_dir: '/usr/share/osbs/', + openshift_required_version: 1.1.0, + }, + default: { + username: "{{ osbs_koji_username }}", + password: "{{ osbs_koji_password }}", + koji_certs_secret: "koji", + openshift_url: 'https://osbs.fedoraproject.org:8443/', + registry_uri: 'https://osbs.fedoraproject.org/v2', + source_registry_uri: 'https://osbs.fedoraproject.org/v2', + build_host: 'osbs.fedoraproject.org', + koji_root: 'http://koji.fedoraproject.org/koji', + koji_hub: 'http://koji.fedoraproject.org/kojihub', + sources_command: 'fedpkg sources', + build_type: 'prod', + authoritative_registry: 'registry.example.com', + vendor: 'Fedora Project', + verify_ssl: false, + use_auth: true, + builder_use_auth: true, + distribution_scope: 'private', + registry_api_versions: 'v2', + builder_openshift_url: 'https://172.17.0.1:8443/' + }, + when: env == "production" + } + +- name: post-install osbs tasks + hosts: osbs:osbs-stg + vars_files: + - /srv/web/infra/ansible/vars/global.yml + - /srv/private/ansible/vars.yml + - /srv/private/ansible/files/openstack/passwords.yml + - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml + vars: + osbs_kubeconfig_path: /etc/origin/master/admin.kubeconfig + osbs_environment: + KUBECONFIG: "{{ osbs_kubeconfig_path }}" + koji_pki_dir: /etc/pki/koji + koji_ca_cert_path: "{{koji_pki_dir}}/fedora-server-ca.cert" + koji_cert_path: "{{koji_pki_dir}}/fedora-builder.pem" + koji_builder_user: dockerbuilder + osbs_builder_user: builder + + + handlers: + - name: buildroot container + shell: atomic-reactor create-build-image --reactor-tarball-path /usr/share/atomic-reactor/atomic-reactor.tar.gz /etc/osbs/buildroot/ buildroot + + - name: oc secrets new + shell: "oc secrets new koji cert={{ koji_cert_path }} ca={{ koji_ca_cert_path }} serverca={{ koji_ca_cert_path }}" + environment: "{{ osbs_environment }}" + notify: oc secrets add + + - name: oc secrets add + shell: "oc secrets add serviceaccount/{{ osbs_builder_user }} secrets/koji --for=mount" + environment: "{{ osbs_environment }}" + + + tasks: + - name: Ensure koji dockerbuilder cert path exists + file: + path: "{{ koji_pki_dir }}" + state: "directory" + mode: 0400 + + - name: Add koji dockerbuilder cert for Content Generator import + copy: + src: "{{private}}/files/koji/containerbuild.pem" + dest: "{{ koji_cert_path }}" + notify: oc secrets new + + - name: Add koji dockerbuilder ca cert for Content Generator import + copy: + src: "{{private}}/files/koji/buildercerts/fedora-ca.cert" + dest: "{{ koji_ca_cert_path }}" + notify: oc secrets new + + - name: install docker + action: "{{ ansible_pkg_mgr }} name=docker state=installed" + + - name: ensure docker daemon cert dir exists + file: "{{docker_cert_dir}}" + path: + state: directory + + - name: install docker client cert for registry + copy: + src: "{{private}}/files/koji/containerbuild.cert.pem" + dest: "{{docker_cert_dir}}/client.cert" + + - name: install docker client key for registry + copy: + src: "{{private}}/files/koji/containerbuild.key.pem" + dest: "{{docker_cert_dir}}/client.key" + + - name: start and enable docker + service: name=docker state=started enabled=yes + + - name: create fedora image stream for OpenShift + shell: "echo '{ \"apiVersion\": \"v1\", \"kind\": \"ImageStream\", \"metadata\": { \"name\": \"fedora\" }, \"spec\": { \"dockerImageRepository\": \"{{docker_registry}}/fedora\" } }' | oc create -f -" + environment: "{{ osbs_environment }}" + args: + creates: /etc/osbs_fedora_imagestream_created + + - name: set policy for koji builder in openshift for osbs + shell: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_stg_username }}" + when: env == "staging" + + - name: set policy for koji builder in openshift for osbs + shell: "oadm policy add-role-to-user -n default edit htpasswd_provider: {{ osbs_koji_username }}" + when: env == "production" + + - name: set policy for koji builder in openshift for atomic-reactor + shell: "oadm policy add-role-to-user -n default edit system:serviceaccount:default:builder" + + - name: make sure latest fedora image is pulled and pushed to osbs registry + shell: "docker pull fedora && docker tag -f fedora:latest {{docker_registry}}/fedora:latest && docker push {{docker_registry}}/fedora:latest" + tags: + - containerupdate + + - name: Create buildroot container conf directory + file: + path: "/etc/osbs/buildroot/" + state: directory + + - name: Upload Dockerfile for buildroot container + copy: + src: "{{ files }}/osbs-buildroot-Dockerfile" + dest: "/etc/osbs/buildroot/Dockerfile" + mode: 0400 + notify: + - buildroot container + + - name: Upload internal CA for buildroot + copy: + src: "{{private}}/{{osbs_internal_ca}}" + dest: "/etc/osbs/buildroot/ca.crt" + mode: 0400 + notify: + - buildroot container + + - name: clean up exited containers + shell: for i in $(docker ps -a | awk '/Exited/ { print $1 }') ; do docker rm $i; done + tags: + - cleanup + + - name: clean up dangling images + shell: for i in $(docker images -q -f "dangling=true") ; do docker rmi $i; done + tags: + - cleanup + |