path: root/roles/osbs-master/tasks/main.yml

---
### docker service ###

- name: install packages required by osbs
  action: "{{ ansible_pkg_mgr }} name=docker state={{ osbs_update_packages | ternary('latest', 'present') }}"

- name: install openssl for auth proxy cert generation
  action: "{{ ansible_pkg_mgr }} name=openssl state=latest"

- name: configure docker
  template: src=sysconfig-docker.j2 dest=/etc/sysconfig/docker backup=yes
  notify: restart docker

- name: ensure docker is running
  service: name=docker state=started enabled=yes

### openshift service ###

- name: open/close openshift port in the firewall
  firewalld:
    port: "{{ osbs_openshift_port }}/tcp"
    state: "{{ osbs_master_expose_port | ternary('enabled', 'disabled') }}"
    permanent: true
    immediate: true
  when: osbs_manage_firewalld

- name: apply modifications to /etc/sysconfig/origin
  copy: src=sysconfig-origin-{{ item }} dest=/etc/sysconfig/origin-{{ item }}
  with_items:
  - master
  - node

- name: configure openshift master
  template: src=master-config.yaml.j2 dest=/etc/origin/master/master-config.yaml
  notify: restart openshift-master

- name: configure openshift node
  template: src=node-config.yaml.j2 dest=/etc/origin/node/node-config.yaml
  notify: restart openshift-node

- name: generate cert for authenticating proxy - self-signed certificate
  command: >
    openssl req -new -nodes -x509
    -subj "/C=CZ/ST=SelfSigned/L=SelfSigned/O=IT/CN={{ ansible_fqdn }}"
    -days 3650
    -keyout {{ osbs_proxy_key_file }}
    -out {{ osbs_proxy_cert_file }}
    -extensions v3_ca
  args:
    creates: "{{ osbs_proxy_cert_file }}"
  register: auth_proxy_cert

- name: generate cert for authenticating proxy - convert privkey to rsa
  command: openssl rsa -in {{ osbs_proxy_key_file }} -out {{ osbs_proxy_key_file }}
  when: auth_proxy_cert.changed

- name: generate cert for authenticating proxy - concatenate cert and key
  shell: cat {{ osbs_proxy_cert_file }} {{ osbs_proxy_key_file }} > {{ osbs_proxy_certkey_file }}
  creates: "{{ osbs_proxy_certkey_file }}"

# We need to have openshift restarted in order to configure authentication.
- meta: flush_handlers

- name: ensure openshift is running
  service: name=origin-{{ item }} state=started enabled=yes
  with_items:
  - master
  - node

- name: wait for openshift to start accepting connections
  wait_for: port={{ osbs_openshift_port }} timeout=30

- name: copy osbs-builder role definition
  copy: src=openshift-role-osbs-builder.yml dest={{ osbs_openshift_home }}/role-osbs-builder.yml

- name: import the osbs-builder role
  command: oc replace --force=true --filename={{ osbs_openshift_home }}/role-osbs-builder.yml
  environment: "{{ osbs_environment }}"

- name: copy role bindings
  template: src=openshift-rolebinding.yml.j2 dest={{ osbs_openshift_home }}/rolebinding-{{ item.name }}.yml
  with_items:
  - name: osbs-readonly
    role: view
    users: "{{ osbs_readonly_users }}"
    groups: "{{ osbs_readonly_groups }}"
  - name: osbs-readwrite
    role: osbs-builder
    users: "{{ osbs_readwrite_users }}"
    groups: "{{ osbs_readwrite_groups }}"
  - name: osbs-admin
    role: cluster-admin
    users: "{{ osbs_admin_users }}"
    groups: "{{ osbs_admin_groups }}"

- name: import the role bindings
  command: oc replace --force=true --filename={{ osbs_openshift_home }}/rolebinding-{{ item }}.yml
  environment: "{{ osbs_environment }}"
  with_items:
  - osbs-readonly
  - osbs-readwrite
  - osbs-admin

- name: copy resource quotas
  template: src=openshift-resourcequota.yml.j2 dest={{ osbs_openshift_home }}/resourcequota.yml

- name: import resource quotas
  command: oc replace --force=true --filename={{ osbs_openshift_home }}/resourcequota.yml
  environment: "{{ osbs_environment }}"

# Useful when using "oc" to inspect openshift state.
- name: add KUBECONFIG to .bashrc
  lineinfile:
    dest: "{{ ansible_env.HOME }}/.bashrc"
    regexp: "export KUBECONFIG="
    line: "export KUBECONFIG={{ osbs_environment.KUBECONFIG }}"

- include: export.yml
  when: osbs_export_dir is defined