├── .gitignore
├── LICENSE
├── README.md
├── playbooks
    ├── debug.yaml
    ├── epel-enable-playbook.yaml
    ├── infrastructure-services-setup.yaml
    ├── ocp4-playbook-boot_delay-vms.yaml
    ├── ocp4-playbook-cluster-create.yaml
    ├── ocp4-playbook-disk-add.yaml
    ├── ocp4-playbook-erase-vms.yaml
    ├── ocp4-playbook-poweron-vms.yaml
    ├── ocp4-playbook-test-dns.yaml
    ├── ocp4-playbook-test-uri.yaml
    └── ocp4-playbook-vmware-prereq.yaml
├── tasks
    ├── infrastructure-services-dhcp.yaml
    ├── infrastructure-services-handlers.yaml
    ├── infrastructure-services-haproxy.yaml
    ├── infrastructure-services-named.yaml
    ├── ocp4-client-setup.yaml
    ├── ocp4-httpd-ignition-provide.yaml
    ├── ocp4-ignition-config.yaml
    ├── ocp4-nodes-boot_delay.yaml
    ├── ocp4-nodes-create.yaml
    ├── ocp4-nodes-disks-add.yaml
    ├── ocp4-nodes-erase.yaml
    ├── ocp4-nodes-poweron.yaml
    ├── ocp4-test-dns-VIPS.yaml
    ├── ocp4-test-dns-masters-etcd.yaml
    ├── ocp4-test-dns-nodes.yaml
    └── yum_set_proxy.yaml
├── templates
    ├── dhcpd.conf.j2
    ├── haproxy.cfg.j2
    ├── install-config.yaml.j2
    ├── named-direct-resolution.conf.j2
    ├── named-reverse-resolution.conf.j2
    ├── named.conf.j2
    └── ocp4-vars-dynamic.yaml.j2
└── vars
    ├── ocp4-vars-proxy-whitelist.yaml
    └── ocp4-vars-vmware-upi-installer.yaml


/.gitignore:
--------------------------------------------------------------------------------
1 | vars/ocp4-vars-dynamic.yaml
2 | .vagrant/
3 | *.retry
4 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 |                     GNU AFFERO GENERAL PUBLIC LICENSE
  2 |                        Version 3, 19 November 2007
  3 | 
  4 |  Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
  5 |  Everyone is permitted to copy and distribute verbatim copies
  6 |  of this license document, but changing it is not allowed.
  7 | 
  8 |                             Preamble
  9 | 
 10 |   The GNU Affero General Public License is a free, copyleft license for
 11 | software and other kinds of works, specifically designed to ensure
 12 | cooperation with the community in the case of network server software.
 13 | 
 14 |   The licenses for most software and other practical works are designed
 15 | to take away your freedom to share and change the works.  By contrast,
 16 | our General Public Licenses are intended to guarantee your freedom to
 17 | share and change all versions of a program--to make sure it remains free
 18 | software for all its users.
 19 | 
 20 |   When we speak of free software, we are referring to freedom, not
 21 | price.  Our General Public Licenses are designed to make sure that you
 22 | have the freedom to distribute copies of free software (and charge for
 23 | them if you wish), that you receive source code or can get it if you
 24 | want it, that you can change the software or use pieces of it in new
 25 | free programs, and that you know you can do these things.
 26 | 
 27 |   Developers that use our General Public Licenses protect your rights
 28 | with two steps: (1) assert copyright on the software, and (2) offer
 29 | you this License which gives you legal permission to copy, distribute
 30 | and/or modify the software.
 31 | 
 32 |   A secondary benefit of defending all users' freedom is that
 33 | improvements made in alternate versions of the program, if they
 34 | receive widespread use, become available for other developers to
 35 | incorporate.  Many developers of free software are heartened and
 36 | encouraged by the resulting cooperation.  However, in the case of
 37 | software used on network servers, this result may fail to come about.
 38 | The GNU General Public License permits making a modified version and
 39 | letting the public access it on a server without ever releasing its
 40 | source code to the public.
 41 | 
 42 |   The GNU Affero General Public License is designed specifically to
 43 | ensure that, in such cases, the modified source code becomes available
 44 | to the community.  It requires the operator of a network server to
 45 | provide the source code of the modified version running there to the
 46 | users of that server.  Therefore, public use of a modified version, on
 47 | a publicly accessible server, gives the public access to the source
 48 | code of the modified version.
 49 | 
 50 |   An older license, called the Affero General Public License and
 51 | published by Affero, was designed to accomplish similar goals.  This is
 52 | a different license, not a version of the Affero GPL, but Affero has
 53 | released a new version of the Affero GPL which permits relicensing under
 54 | this license.
 55 | 
 56 |   The precise terms and conditions for copying, distribution and
 57 | modification follow.
 58 | 
 59 |                        TERMS AND CONDITIONS
 60 | 
 61 |   0. Definitions.
 62 | 
 63 |   "This License" refers to version 3 of the GNU Affero General Public License.
 64 | 
 65 |   "Copyright" also means copyright-like laws that apply to other kinds of
 66 | works, such as semiconductor masks.
 67 | 
 68 |   "The Program" refers to any copyrightable work licensed under this
 69 | License.  Each licensee is addressed as "you".  "Licensees" and
 70 | "recipients" may be individuals or organizations.
 71 | 
 72 |   To "modify" a work means to copy from or adapt all or part of the work
 73 | in a fashion requiring copyright permission, other than the making of an
 74 | exact copy.  The resulting work is called a "modified version" of the
 75 | earlier work or a work "based on" the earlier work.
 76 | 
 77 |   A "covered work" means either the unmodified Program or a work based
 78 | on the Program.
 79 | 
 80 |   To "propagate" a work means to do anything with it that, without
 81 | permission, would make you directly or secondarily liable for
 82 | infringement under applicable copyright law, except executing it on a
 83 | computer or modifying a private copy.  Propagation includes copying,
 84 | distribution (with or without modification), making available to the
 85 | public, and in some countries other activities as well.
 86 | 
 87 |   To "convey" a work means any kind of propagation that enables other
 88 | parties to make or receive copies.  Mere interaction with a user through
 89 | a computer network, with no transfer of a copy, is not conveying.
 90 | 
 91 |   An interactive user interface displays "Appropriate Legal Notices"
 92 | to the extent that it includes a convenient and prominently visible
 93 | feature that (1) displays an appropriate copyright notice, and (2)
 94 | tells the user that there is no warranty for the work (except to the
 95 | extent that warranties are provided), that licensees may convey the
 96 | work under this License, and how to view a copy of this License.  If
 97 | the interface presents a list of user commands or options, such as a
 98 | menu, a prominent item in the list meets this criterion.
 99 | 
100 |   1. Source Code.
101 | 
102 |   The "source code" for a work means the preferred form of the work
103 | for making modifications to it.  "Object code" means any non-source
104 | form of a work.
105 | 
106 |   A "Standard Interface" means an interface that either is an official
107 | standard defined by a recognized standards body, or, in the case of
108 | interfaces specified for a particular programming language, one that
109 | is widely used among developers working in that language.
110 | 
111 |   The "System Libraries" of an executable work include anything, other
112 | than the work as a whole, that (a) is included in the normal form of
113 | packaging a Major Component, but which is not part of that Major
114 | Component, and (b) serves only to enable use of the work with that
115 | Major Component, or to implement a Standard Interface for which an
116 | implementation is available to the public in source code form.  A
117 | "Major Component", in this context, means a major essential component
118 | (kernel, window system, and so on) of the specific operating system
119 | (if any) on which the executable work runs, or a compiler used to
120 | produce the work, or an object code interpreter used to run it.
121 | 
122 |   The "Corresponding Source" for a work in object code form means all
123 | the source code needed to generate, install, and (for an executable
124 | work) run the object code and to modify the work, including scripts to
125 | control those activities.  However, it does not include the work's
126 | System Libraries, or general-purpose tools or generally available free
127 | programs which are used unmodified in performing those activities but
128 | which are not part of the work.  For example, Corresponding Source
129 | includes interface definition files associated with source files for
130 | the work, and the source code for shared libraries and dynamically
131 | linked subprograms that the work is specifically designed to require,
132 | such as by intimate data communication or control flow between those
133 | subprograms and other parts of the work.
134 | 
135 |   The Corresponding Source need not include anything that users
136 | can regenerate automatically from other parts of the Corresponding
137 | Source.
138 | 
139 |   The Corresponding Source for a work in source code form is that
140 | same work.
141 | 
142 |   2. Basic Permissions.
143 | 
144 |   All rights granted under this License are granted for the term of
145 | copyright on the Program, and are irrevocable provided the stated
146 | conditions are met.  This License explicitly affirms your unlimited
147 | permission to run the unmodified Program.  The output from running a
148 | covered work is covered by this License only if the output, given its
149 | content, constitutes a covered work.  This License acknowledges your
150 | rights of fair use or other equivalent, as provided by copyright law.
151 | 
152 |   You may make, run and propagate covered works that you do not
153 | convey, without conditions so long as your license otherwise remains
154 | in force.  You may convey covered works to others for the sole purpose
155 | of having them make modifications exclusively for you, or provide you
156 | with facilities for running those works, provided that you comply with
157 | the terms of this License in conveying all material for which you do
158 | not control copyright.  Those thus making or running the covered works
159 | for you must do so exclusively on your behalf, under your direction
160 | and control, on terms that prohibit them from making any copies of
161 | your copyrighted material outside their relationship with you.
162 | 
163 |   Conveying under any other circumstances is permitted solely under
164 | the conditions stated below.  Sublicensing is not allowed; section 10
165 | makes it unnecessary.
166 | 
167 |   3. Protecting Users' Legal Rights From Anti-Circumvention Law.
168 | 
169 |   No covered work shall be deemed part of an effective technological
170 | measure under any applicable law fulfilling obligations under article
171 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or
172 | similar laws prohibiting or restricting circumvention of such
173 | measures.
174 | 
175 |   When you convey a covered work, you waive any legal power to forbid
176 | circumvention of technological measures to the extent such circumvention
177 | is effected by exercising rights under this License with respect to
178 | the covered work, and you disclaim any intention to limit operation or
179 | modification of the work as a means of enforcing, against the work's
180 | users, your or third parties' legal rights to forbid circumvention of
181 | technological measures.
182 | 
183 |   4. Conveying Verbatim Copies.
184 | 
185 |   You may convey verbatim copies of the Program's source code as you
186 | receive it, in any medium, provided that you conspicuously and
187 | appropriately publish on each copy an appropriate copyright notice;
188 | keep intact all notices stating that this License and any
189 | non-permissive terms added in accord with section 7 apply to the code;
190 | keep intact all notices of the absence of any warranty; and give all
191 | recipients a copy of this License along with the Program.
192 | 
193 |   You may charge any price or no price for each copy that you convey,
194 | and you may offer support or warranty protection for a fee.
195 | 
196 |   5. Conveying Modified Source Versions.
197 | 
198 |   You may convey a work based on the Program, or the modifications to
199 | produce it from the Program, in the form of source code under the
200 | terms of section 4, provided that you also meet all of these conditions:
201 | 
202 |     a) The work must carry prominent notices stating that you modified
203 |     it, and giving a relevant date.
204 | 
205 |     b) The work must carry prominent notices stating that it is
206 |     released under this License and any conditions added under section
207 |     7.  This requirement modifies the requirement in section 4 to
208 |     "keep intact all notices".
209 | 
210 |     c) You must license the entire work, as a whole, under this
211 |     License to anyone who comes into possession of a copy.  This
212 |     License will therefore apply, along with any applicable section 7
213 |     additional terms, to the whole of the work, and all its parts,
214 |     regardless of how they are packaged.  This License gives no
215 |     permission to license the work in any other way, but it does not
216 |     invalidate such permission if you have separately received it.
217 | 
218 |     d) If the work has interactive user interfaces, each must display
219 |     Appropriate Legal Notices; however, if the Program has interactive
220 |     interfaces that do not display Appropriate Legal Notices, your
221 |     work need not make them do so.
222 | 
223 |   A compilation of a covered work with other separate and independent
224 | works, which are not by their nature extensions of the covered work,
225 | and which are not combined with it such as to form a larger program,
226 | in or on a volume of a storage or distribution medium, is called an
227 | "aggregate" if the compilation and its resulting copyright are not
228 | used to limit the access or legal rights of the compilation's users
229 | beyond what the individual works permit.  Inclusion of a covered work
230 | in an aggregate does not cause this License to apply to the other
231 | parts of the aggregate.
232 | 
233 |   6. Conveying Non-Source Forms.
234 | 
235 |   You may convey a covered work in object code form under the terms
236 | of sections 4 and 5, provided that you also convey the
237 | machine-readable Corresponding Source under the terms of this License,
238 | in one of these ways:
239 | 
240 |     a) Convey the object code in, or embodied in, a physical product
241 |     (including a physical distribution medium), accompanied by the
242 |     Corresponding Source fixed on a durable physical medium
243 |     customarily used for software interchange.
244 | 
245 |     b) Convey the object code in, or embodied in, a physical product
246 |     (including a physical distribution medium), accompanied by a
247 |     written offer, valid for at least three years and valid for as
248 |     long as you offer spare parts or customer support for that product
249 |     model, to give anyone who possesses the object code either (1) a
250 |     copy of the Corresponding Source for all the software in the
251 |     product that is covered by this License, on a durable physical
252 |     medium customarily used for software interchange, for a price no
253 |     more than your reasonable cost of physically performing this
254 |     conveying of source, or (2) access to copy the
255 |     Corresponding Source from a network server at no charge.
256 | 
257 |     c) Convey individual copies of the object code with a copy of the
258 |     written offer to provide the Corresponding Source.  This
259 |     alternative is allowed only occasionally and noncommercially, and
260 |     only if you received the object code with such an offer, in accord
261 |     with subsection 6b.
262 | 
263 |     d) Convey the object code by offering access from a designated
264 |     place (gratis or for a charge), and offer equivalent access to the
265 |     Corresponding Source in the same way through the same place at no
266 |     further charge.  You need not require recipients to copy the
267 |     Corresponding Source along with the object code.  If the place to
268 |     copy the object code is a network server, the Corresponding Source
269 |     may be on a different server (operated by you or a third party)
270 |     that supports equivalent copying facilities, provided you maintain
271 |     clear directions next to the object code saying where to find the
272 |     Corresponding Source.  Regardless of what server hosts the
273 |     Corresponding Source, you remain obligated to ensure that it is
274 |     available for as long as needed to satisfy these requirements.
275 | 
276 |     e) Convey the object code using peer-to-peer transmission, provided
277 |     you inform other peers where the object code and Corresponding
278 |     Source of the work are being offered to the general public at no
279 |     charge under subsection 6d.
280 | 
281 |   A separable portion of the object code, whose source code is excluded
282 | from the Corresponding Source as a System Library, need not be
283 | included in conveying the object code work.
284 | 
285 |   A "User Product" is either (1) a "consumer product", which means any
286 | tangible personal property which is normally used for personal, family,
287 | or household purposes, or (2) anything designed or sold for incorporation
288 | into a dwelling.  In determining whether a product is a consumer product,
289 | doubtful cases shall be resolved in favor of coverage.  For a particular
290 | product received by a particular user, "normally used" refers to a
291 | typical or common use of that class of product, regardless of the status
292 | of the particular user or of the way in which the particular user
293 | actually uses, or expects or is expected to use, the product.  A product
294 | is a consumer product regardless of whether the product has substantial
295 | commercial, industrial or non-consumer uses, unless such uses represent
296 | the only significant mode of use of the product.
297 | 
298 |   "Installation Information" for a User Product means any methods,
299 | procedures, authorization keys, or other information required to install
300 | and execute modified versions of a covered work in that User Product from
301 | a modified version of its Corresponding Source.  The information must
302 | suffice to ensure that the continued functioning of the modified object
303 | code is in no case prevented or interfered with solely because
304 | modification has been made.
305 | 
306 |   If you convey an object code work under this section in, or with, or
307 | specifically for use in, a User Product, and the conveying occurs as
308 | part of a transaction in which the right of possession and use of the
309 | User Product is transferred to the recipient in perpetuity or for a
310 | fixed term (regardless of how the transaction is characterized), the
311 | Corresponding Source conveyed under this section must be accompanied
312 | by the Installation Information.  But this requirement does not apply
313 | if neither you nor any third party retains the ability to install
314 | modified object code on the User Product (for example, the work has
315 | been installed in ROM).
316 | 
317 |   The requirement to provide Installation Information does not include a
318 | requirement to continue to provide support service, warranty, or updates
319 | for a work that has been modified or installed by the recipient, or for
320 | the User Product in which it has been modified or installed.  Access to a
321 | network may be denied when the modification itself materially and
322 | adversely affects the operation of the network or violates the rules and
323 | protocols for communication across the network.
324 | 
325 |   Corresponding Source conveyed, and Installation Information provided,
326 | in accord with this section must be in a format that is publicly
327 | documented (and with an implementation available to the public in
328 | source code form), and must require no special password or key for
329 | unpacking, reading or copying.
330 | 
331 |   7. Additional Terms.
332 | 
333 |   "Additional permissions" are terms that supplement the terms of this
334 | License by making exceptions from one or more of its conditions.
335 | Additional permissions that are applicable to the entire Program shall
336 | be treated as though they were included in this License, to the extent
337 | that they are valid under applicable law.  If additional permissions
338 | apply only to part of the Program, that part may be used separately
339 | under those permissions, but the entire Program remains governed by
340 | this License without regard to the additional permissions.
341 | 
342 |   When you convey a copy of a covered work, you may at your option
343 | remove any additional permissions from that copy, or from any part of
344 | it.  (Additional permissions may be written to require their own
345 | removal in certain cases when you modify the work.)  You may place
346 | additional permissions on material, added by you to a covered work,
347 | for which you have or can give appropriate copyright permission.
348 | 
349 |   Notwithstanding any other provision of this License, for material you
350 | add to a covered work, you may (if authorized by the copyright holders of
351 | that material) supplement the terms of this License with terms:
352 | 
353 |     a) Disclaiming warranty or limiting liability differently from the
354 |     terms of sections 15 and 16 of this License; or
355 | 
356 |     b) Requiring preservation of specified reasonable legal notices or
357 |     author attributions in that material or in the Appropriate Legal
358 |     Notices displayed by works containing it; or
359 | 
360 |     c) Prohibiting misrepresentation of the origin of that material, or
361 |     requiring that modified versions of such material be marked in
362 |     reasonable ways as different from the original version; or
363 | 
364 |     d) Limiting the use for publicity purposes of names of licensors or
365 |     authors of the material; or
366 | 
367 |     e) Declining to grant rights under trademark law for use of some
368 |     trade names, trademarks, or service marks; or
369 | 
370 |     f) Requiring indemnification of licensors and authors of that
371 |     material by anyone who conveys the material (or modified versions of
372 |     it) with contractual assumptions of liability to the recipient, for
373 |     any liability that these contractual assumptions directly impose on
374 |     those licensors and authors.
375 | 
376 |   All other non-permissive additional terms are considered "further
377 | restrictions" within the meaning of section 10.  If the Program as you
378 | received it, or any part of it, contains a notice stating that it is
379 | governed by this License along with a term that is a further
380 | restriction, you may remove that term.  If a license document contains
381 | a further restriction but permits relicensing or conveying under this
382 | License, you may add to a covered work material governed by the terms
383 | of that license document, provided that the further restriction does
384 | not survive such relicensing or conveying.
385 | 
386 |   If you add terms to a covered work in accord with this section, you
387 | must place, in the relevant source files, a statement of the
388 | additional terms that apply to those files, or a notice indicating
389 | where to find the applicable terms.
390 | 
391 |   Additional terms, permissive or non-permissive, may be stated in the
392 | form of a separately written license, or stated as exceptions;
393 | the above requirements apply either way.
394 | 
395 |   8. Termination.
396 | 
397 |   You may not propagate or modify a covered work except as expressly
398 | provided under this License.  Any attempt otherwise to propagate or
399 | modify it is void, and will automatically terminate your rights under
400 | this License (including any patent licenses granted under the third
401 | paragraph of section 11).
402 | 
403 |   However, if you cease all violation of this License, then your
404 | license from a particular copyright holder is reinstated (a)
405 | provisionally, unless and until the copyright holder explicitly and
406 | finally terminates your license, and (b) permanently, if the copyright
407 | holder fails to notify you of the violation by some reasonable means
408 | prior to 60 days after the cessation.
409 | 
410 |   Moreover, your license from a particular copyright holder is
411 | reinstated permanently if the copyright holder notifies you of the
412 | violation by some reasonable means, this is the first time you have
413 | received notice of violation of this License (for any work) from that
414 | copyright holder, and you cure the violation prior to 30 days after
415 | your receipt of the notice.
416 | 
417 |   Termination of your rights under this section does not terminate the
418 | licenses of parties who have received copies or rights from you under
419 | this License.  If your rights have been terminated and not permanently
420 | reinstated, you do not qualify to receive new licenses for the same
421 | material under section 10.
422 | 
423 |   9. Acceptance Not Required for Having Copies.
424 | 
425 |   You are not required to accept this License in order to receive or
426 | run a copy of the Program.  Ancillary propagation of a covered work
427 | occurring solely as a consequence of using peer-to-peer transmission
428 | to receive a copy likewise does not require acceptance.  However,
429 | nothing other than this License grants you permission to propagate or
430 | modify any covered work.  These actions infringe copyright if you do
431 | not accept this License.  Therefore, by modifying or propagating a
432 | covered work, you indicate your acceptance of this License to do so.
433 | 
434 |   10. Automatic Licensing of Downstream Recipients.
435 | 
436 |   Each time you convey a covered work, the recipient automatically
437 | receives a license from the original licensors, to run, modify and
438 | propagate that work, subject to this License.  You are not responsible
439 | for enforcing compliance by third parties with this License.
440 | 
441 |   An "entity transaction" is a transaction transferring control of an
442 | organization, or substantially all assets of one, or subdividing an
443 | organization, or merging organizations.  If propagation of a covered
444 | work results from an entity transaction, each party to that
445 | transaction who receives a copy of the work also receives whatever
446 | licenses to the work the party's predecessor in interest had or could
447 | give under the previous paragraph, plus a right to possession of the
448 | Corresponding Source of the work from the predecessor in interest, if
449 | the predecessor has it or can get it with reasonable efforts.
450 | 
451 |   You may not impose any further restrictions on the exercise of the
452 | rights granted or affirmed under this License.  For example, you may
453 | not impose a license fee, royalty, or other charge for exercise of
454 | rights granted under this License, and you may not initiate litigation
455 | (including a cross-claim or counterclaim in a lawsuit) alleging that
456 | any patent claim is infringed by making, using, selling, offering for
457 | sale, or importing the Program or any portion of it.
458 | 
459 |   11. Patents.
460 | 
461 |   A "contributor" is a copyright holder who authorizes use under this
462 | License of the Program or a work on which the Program is based.  The
463 | work thus licensed is called the contributor's "contributor version".
464 | 
465 |   A contributor's "essential patent claims" are all patent claims
466 | owned or controlled by the contributor, whether already acquired or
467 | hereafter acquired, that would be infringed by some manner, permitted
468 | by this License, of making, using, or selling its contributor version,
469 | but do not include claims that would be infringed only as a
470 | consequence of further modification of the contributor version.  For
471 | purposes of this definition, "control" includes the right to grant
472 | patent sublicenses in a manner consistent with the requirements of
473 | this License.
474 | 
475 |   Each contributor grants you a non-exclusive, worldwide, royalty-free
476 | patent license under the contributor's essential patent claims, to
477 | make, use, sell, offer for sale, import and otherwise run, modify and
478 | propagate the contents of its contributor version.
479 | 
480 |   In the following three paragraphs, a "patent license" is any express
481 | agreement or commitment, however denominated, not to enforce a patent
482 | (such as an express permission to practice a patent or covenant not to
483 | sue for patent infringement).  To "grant" such a patent license to a
484 | party means to make such an agreement or commitment not to enforce a
485 | patent against the party.
486 | 
487 |   If you convey a covered work, knowingly relying on a patent license,
488 | and the Corresponding Source of the work is not available for anyone
489 | to copy, free of charge and under the terms of this License, through a
490 | publicly available network server or other readily accessible means,
491 | then you must either (1) cause the Corresponding Source to be so
492 | available, or (2) arrange to deprive yourself of the benefit of the
493 | patent license for this particular work, or (3) arrange, in a manner
494 | consistent with the requirements of this License, to extend the patent
495 | license to downstream recipients.  "Knowingly relying" means you have
496 | actual knowledge that, but for the patent license, your conveying the
497 | covered work in a country, or your recipient's use of the covered work
498 | in a country, would infringe one or more identifiable patents in that
499 | country that you have reason to believe are valid.
500 | 
501 |   If, pursuant to or in connection with a single transaction or
502 | arrangement, you convey, or propagate by procuring conveyance of, a
503 | covered work, and grant a patent license to some of the parties
504 | receiving the covered work authorizing them to use, propagate, modify
505 | or convey a specific copy of the covered work, then the patent license
506 | you grant is automatically extended to all recipients of the covered
507 | work and works based on it.
508 | 
509 |   A patent license is "discriminatory" if it does not include within
510 | the scope of its coverage, prohibits the exercise of, or is
511 | conditioned on the non-exercise of one or more of the rights that are
512 | specifically granted under this License.  You may not convey a covered
513 | work if you are a party to an arrangement with a third party that is
514 | in the business of distributing software, under which you make payment
515 | to the third party based on the extent of your activity of conveying
516 | the work, and under which the third party grants, to any of the
517 | parties who would receive the covered work from you, a discriminatory
518 | patent license (a) in connection with copies of the covered work
519 | conveyed by you (or copies made from those copies), or (b) primarily
520 | for and in connection with specific products or compilations that
521 | contain the covered work, unless you entered into that arrangement,
522 | or that patent license was granted, prior to 28 March 2007.
523 | 
524 |   Nothing in this License shall be construed as excluding or limiting
525 | any implied license or other defenses to infringement that may
526 | otherwise be available to you under applicable patent law.
527 | 
528 |   12. No Surrender of Others' Freedom.
529 | 
530 |   If conditions are imposed on you (whether by court order, agreement or
531 | otherwise) that contradict the conditions of this License, they do not
532 | excuse you from the conditions of this License.  If you cannot convey a
533 | covered work so as to satisfy simultaneously your obligations under this
534 | License and any other pertinent obligations, then as a consequence you may
535 | not convey it at all.  For example, if you agree to terms that obligate you
536 | to collect a royalty for further conveying from those to whom you convey
537 | the Program, the only way you could satisfy both those terms and this
538 | License would be to refrain entirely from conveying the Program.
539 | 
540 |   13. Remote Network Interaction; Use with the GNU General Public License.
541 | 
542 |   Notwithstanding any other provision of this License, if you modify the
543 | Program, your modified version must prominently offer all users
544 | interacting with it remotely through a computer network (if your version
545 | supports such interaction) an opportunity to receive the Corresponding
546 | Source of your version by providing access to the Corresponding Source
547 | from a network server at no charge, through some standard or customary
548 | means of facilitating copying of software.  This Corresponding Source
549 | shall include the Corresponding Source for any work covered by version 3
550 | of the GNU General Public License that is incorporated pursuant to the
551 | following paragraph.
552 | 
553 |   Notwithstanding any other provision of this License, you have
554 | permission to link or combine any covered work with a work licensed
555 | under version 3 of the GNU General Public License into a single
556 | combined work, and to convey the resulting work.  The terms of this
557 | License will continue to apply to the part which is the covered work,
558 | but the work with which it is combined will remain governed by version
559 | 3 of the GNU General Public License.
560 | 
561 |   14. Revised Versions of this License.
562 | 
563 |   The Free Software Foundation may publish revised and/or new versions of
564 | the GNU Affero General Public License from time to time.  Such new versions
565 | will be similar in spirit to the present version, but may differ in detail to
566 | address new problems or concerns.
567 | 
568 |   Each version is given a distinguishing version number.  If the
569 | Program specifies that a certain numbered version of the GNU Affero General
570 | Public License "or any later version" applies to it, you have the
571 | option of following the terms and conditions either of that numbered
572 | version or of any later version published by the Free Software
573 | Foundation.  If the Program does not specify a version number of the
574 | GNU Affero General Public License, you may choose any version ever published
575 | by the Free Software Foundation.
576 | 
577 |   If the Program specifies that a proxy can decide which future
578 | versions of the GNU Affero General Public License can be used, that proxy's
579 | public statement of acceptance of a version permanently authorizes you
580 | to choose that version for the Program.
581 | 
582 |   Later license versions may give you additional or different
583 | permissions.  However, no additional obligations are imposed on any
584 | author or copyright holder as a result of your choosing to follow a
585 | later version.
586 | 
587 |   15. Disclaimer of Warranty.
588 | 
589 |   THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
590 | APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
591 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
592 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
593 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
594 | PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
595 | IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
596 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
597 | 
598 |   16. Limitation of Liability.
599 | 
600 |   IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
601 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
602 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
603 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
604 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
605 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
606 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
607 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
608 | SUCH DAMAGES.
609 | 
610 |   17. Interpretation of Sections 15 and 16.
611 | 
612 |   If the disclaimer of warranty and limitation of liability provided
613 | above cannot be given local legal effect according to their terms,
614 | reviewing courts shall apply local law that most closely approximates
615 | an absolute waiver of all civil liability in connection with the
616 | Program, unless a warranty or assumption of liability accompanies a
617 | copy of the Program in return for a fee.
618 | 
619 |                      END OF TERMS AND CONDITIONS
620 | 
621 |             How to Apply These Terms to Your New Programs
622 | 
623 |   If you develop a new program, and you want it to be of the greatest
624 | possible use to the public, the best way to achieve this is to make it
625 | free software which everyone can redistribute and change under these terms.
626 | 
627 |   To do so, attach the following notices to the program.  It is safest
628 | to attach them to the start of each source file to most effectively
629 | state the exclusion of warranty; and each file should have at least
630 | the "copyright" line and a pointer to where the full notice is found.
631 | 
632 |     <one line to give the program's name and a brief idea of what it does.>
633 |     Copyright (C) <year>  <name of author>
634 | 
635 |     This program is free software: you can redistribute it and/or modify
636 |     it under the terms of the GNU Affero General Public License as published
637 |     by the Free Software Foundation, either version 3 of the License, or
638 |     (at your option) any later version.
639 | 
640 |     This program is distributed in the hope that it will be useful,
641 |     but WITHOUT ANY WARRANTY; without even the implied warranty of
642 |     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
643 |     GNU Affero General Public License for more details.
644 | 
645 |     You should have received a copy of the GNU Affero General Public License
646 |     along with this program.  If not, see <https://www.gnu.org/licenses/>.
647 | 
648 | Also add information on how to contact you by electronic and paper mail.
649 | 
650 |   If your software can interact with users remotely through a computer
651 | network, you should also make sure that it provides a way for users to
652 | get its source.  For example, if your program is a web application, its
653 | interface could display a "Source" link that leads users to an archive
654 | of the code.  There are many ways you could offer source, and different
655 | solutions will be better for different programs; see section 13 for the
656 | specific requirements.
657 | 
658 |   You should also get your employer (if you work as a programmer) or school,
659 | if any, to sign a "copyright disclaimer" for the program, if necessary.
660 | For more information on this, and how to apply and follow the GNU AGPL, see
661 | <https://www.gnu.org/licenses/>.
662 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # OpenShift 4 vmware UPI Installer
  2 | This repository contains [Ansible](https://www.ansible.com/) playbooks and tasks for [OpenShift](https://www.openshift.com/) 4 cluster installation on vmware with UPI mode.
  3 | 
  4 | The aim of this playbooks is to automate the UPI installation steps described into [Red Hat OpenShift documentation](https://docs.openshift.com/container-platform/4.3/installing/installing_vsphere/installing-vsphere.html)
  5 | 
  6 | These playbooks have been tested with **OpenShift Container Platform** up to **4.7.z**. 
  7 | 
  8 | ## Pre-requisites
  9 | The minimun pre-requisite is a Red Hat / CentOS server to run this repo's playbooks on, called _bastion_ or _jump host_.
 10 | 
 11 | DNS, DHCP and Load Balancers can either be installed with provided playbooks, or can be pre-provisioned as corporate infrastructure services. In this last case they must be configured ad described into [Red Hat OpenShift documentation](https://docs.openshift.com/container-platform/4.3/installing/installing_vsphere/installing-vsphere.html)
 12 | 
 13 | Playbooks have been developed and tested on RHEL 7. While most thing will work on RHEL 8 also, this version has not been tested yet.
 14 | 
 15 | ### Ansible
 16 | Ansible require version on _bastion host_:
 17 | 
 18 | * ansible > 2.8 is required
 19 | * These playbooks have been developed and tested with **ansible 2.9.3**.
 20 | * ansible >= 2.10 may lead to issues.
 21 |  
 22 | Some playbooks are provided in order to test that infrastructure pre-requisites are met, specifically those related to DNS records.
 23 | 
 24 | ### Python pip and pyvmomi
 25 | In order to provision VMs on vmware cluster, [pyvmomi](https://github.com/vmware/pyvmomi) python library is required on _bastion_.
 26 | 
 27 | At first, you will need to install python pip on your system. You can do it by:
 28 | 1. enabling `epel` package repository using `epel-enable-playbook.yaml`
 29 | 1. running:  `# yum install python-pip`
 30 | 
 31 | Finally, **[`pvvmomi`](https://docs.ansible.com/ansible/latest/scenario_guides/vmware_scenarios/vmware_intro.html)**  installation can be managed by the specific pre-requisites playbook (`ocp4-playbook-vmware-prereq.yaml`). 
 32 | 
 33 | ### vSphere Permissions
 34 | vSphere permissions required from OpenShift installer to properly configure vsphere storageclass are detailed on [vmware vsphere storage for kubernetes page](https://vmware.github.io/vsphere-storage-for-kubernetes/documentation/vcp-roles.html).
 35 | 
 36 | vSphere permissions required by Ansible vmware_guest module are documented into [Notes section of vmware_guest page](https://docs.ansible.com/ansible/latest/modules/vmware_guest_module.html#notes).
 37 | 
 38 | Other useful information are provided within Ansible [VMware Guide](https://docs.ansible.com/ansible/latest/scenario_guides/guide_vmware.html).
 39 | ## Provided Playbooks
 40 | Playbook name | Description
 41 | --- | ---
 42 | `ocp4-playbook-vmware-prereq.yaml` | Install vmware_guest ansible module's prerequisites (currently pyvmomi).
 43 | `ocp4-playbook-cluster-create.yaml`| Setup the OpenShift 4 cluster manifests (ignition files, certificates) and creates VMs on vmware cluster. All VMs are created powered off.
 44 | `ocp4-playbook-poweron-vms.yaml`| Power on OpenShift VMs on vmware cluster.
 45 | `ocp4-playbook-erase-vms.yaml`| Power off and erase OpenShift  VMs on vmware cluster.
 46 | `ocp4-playbook-test-uri.yaml` | Test https get to URI required to install and use OpenShift.
 47 | `ocp4-playbook-test-dns.yaml`| Test for proper DNS records configuration.
 48 | `ocp4-playbook-boot_delay-vms.yaml`| Configure Boot Delay for VMs in order to let the possibility to press the TAB or E key to edit the kernel command line. 
 49 | `ocp4-playbook-disk-add.yaml`| Add `additional_disks` to `storage_nodes` in order to use Local Storage Operator to deploy OpenShift Container Storage.
 50 | `epel-enable-playbook.yaml`| Playbook to enable epel repository if needed (e.g. to install `ansible` from epel or `nagios-plugins-dhcp` to debug dhcp configuration).
 51 | `infrastructure-services-setup.yaml`| Playbook to install and configure infrastructure services (DNS, LB, DHCP) on _bastion host_ in order to completely automate UPI pre-requisites.
 52 | 
 53 | ## How to use these playbooks to install your OpenShift 4 cluster
 54 | 1. clone/download this repo on _bastion host_.
 55 | 1. Provide an SSH keypair that will be configured to access CoreOS OCP nodes with `core` user.
 56 | 1. customize `vars/ocp4-vars-vmware-upi-installer.yaml` var file with specific information related to your infrastructure.
 57 | 1. OPTIONAL - create infrastructure services (DNS, LB, DHCP) with playbook `infrastructure-services-setup.yaml`
 58 | 1. test URI https get with playbook `ocp4-playbook-test-uri.yaml`
 59 | 1. test DNS records configuration with playbook `ocp4-playbook-test-dns.yaml`
 60 | 1. install ansible vmware_guest prerequisites with playbook `ocp4-playbook-vmware-prereq.yaml`
 61 | 1. create OpenShift Cluster on vmware with playbook `ocp4-playbook-cluster-create.yaml`
 62 | 1. poweron VMs with playbook `ocp4-playbook-poweron-vms.yaml`
 63 | 
 64 | All playbooks run on localhost. To run them, simply type:
 65 | 
 66 | `ansible-playbook <path_to_cloned_repo>/playbooks/<playbook-name>`
 67 | 
 68 | ### OpenShift installation directory
 69 | To build openshift installation manifests and run openshift installer, this directory is created ad working directory:
 70 | 
 71 | `/tmp/openshift-install-<date +%Y%m%d>`
 72 | 
 73 | Also:
 74 | * `openshift-install`
 75 | 
 76 | and
 77 | * `oc`
 78 | 
 79 | binaries are installed under `/tmp` directory in such a way that, after VMs poweron, you can follow and complete the installation with:
 80 | 
 81 | ```
 82 | $ ansible-playbook ocp4-vmware-upi-installer/playbooks/ocp4-playbook-cluster-create.yaml
 83 | 
 84 | $ ansible-playbook ocp4-vmware-upi-installer/playbooks/ocp4-playbook-poweron-vms.yaml
 85 | 
 86 | $ /tmp/openshift-install --dir=/tmp/openshift-install-<date +%Y%m%d> wait-for bootstrap-complete
 87 | 
 88 | $ export KUBECONFIG=/tmp/openshift-install-<date +%Y%m%d>/auth/kubeconfig
 89 | 
 90 | $ /tmp/oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs /tmp/oc adm certificate approve
 91 | 
 92 | $ /tmp/oc patch configs.imageregistry.operator.openshift.io cluster --type merge --patch '{"spec":{"storage":{"emptyDir":{}}}}'
 93 | 
 94 | $ /tmp/oc patch configs.imageregistry.operator.openshift.io cluster --type merge --patch '{"spec":{"managementState": "Managed"}}'
 95 | 
 96 | $ /tmp/openshift-install --dir=/tmp/openshift-install-<date +%Y%m%d> wait-for install-complete
 97 | ```
 98 | 
 99 | ## Installation with static IP
100 | At the time of first writing this project, **static IP** address setting was not documented specifically for vSphere UPI installation. The supported procedure was the very same of baremetal scenario.
101 | 
102 | The supported procedure consisted of **modifying first boot kernel parameters** by editing the kernel command line, as described [here](https://docs.openshift.com/container-platform/4.3/installing/installing_bare_metal/installing-bare-metal-network-customizations.html#installation-user-infra-machines-iso_installing-bare-metal-network-customizations).
103 | 
104 | In order to let the time to press the TAB or E key after powering up VM on vcenter console, ayou could use the `ocp4-playbook-boot_delay-vms.yaml` playbook that configures Boot Delay VMs parameter (default 10s).
105 | 
106 | **UPDATE WITH OpenShift Container Platform 4.6 release**
107 | 
108 | You can now override default Dynamic Host Configuration Protocol (DHCP) networking in vSphere. This requires setting the static IP configuration and then setting a guestinfo property before booting a VM from an OVA in vSphere:
109 | 
110 |  * https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-release-notes.html#ocp-4-6-static-ip-config-with-ova
111 | 
112 | In order to use static IP with this playbook, simply set `static_ip: true` into var file `vars/ocp4-vars-vmware-upi-installer.yaml` and configure variables in the proper way.
113 | 
114 | **NOTE: Having DNS records properly set for each node is a prerequisite for both direct and reverse (PTR record) resolution.**
115 | 
116 | ### Finding vmware details with govc
117 | In order to find information related to vmware infrastructure, [govc](https://github.com/vmware/govmomi/tree/master/govc) software can be used:
118 | ```
119 | $ mkdir ~/bin
120 | $ export GOVC_URL=https://github.com/vmware/govmomi/releases/download/v0.22.1/govc_linux_amd64.gz
121 | $ curl -L ${GOVC_URL} | gunzip > ~/bin/govc
122 | $ chmod +x ~/bin/govc
123 | 
124 | $ govc version
125 | govc 0.22.1
126 | 
127 | $ export GOVC_URL="vcenter.ocplab.net"
128 | $ export GOVC_USERNAME="<...>"
129 | $ export GOVC_PASSWORD="<...>"
130 | $ export GOVC_INSECURE=1
131 | $ export GOVC_DATASTORE="<...>"
132 | 
133 | $ govc about
134 | Name:         VMware vCenter Server
135 | Vendor:       VMware, Inc.
136 | Version:      6.7.0
137 | Build:        8170161
138 | OS type:      linux-x64
139 | API type:     VirtualCenter
140 | API version:  6.7
141 | Product ID:   vpx
142 | 
143 | $ govc ls
144 | /DC1/vm
145 | /DC1/network
146 | /DC1/host
147 | /DC1/datastore
148 | 
149 | $ govc ls /DC1/network
150 | /DC1/network/LAN2
151 | /DC1/network/LAN1
152 | /DC1/network/WAN1
153 | 
154 | $ govc ls /DC1/vm
155 | /DC1/vm/Discovered virtual machine
156 | /DC1/vm/ocp4
157 | 
158 | $ govc ls /DC1/vm/ocp4
159 | /DC1/vm/ocp4/rhcos-4.3.0-x86_64
160 | ```
161 | 
162 | ## How to contribute
163 | Pull requests are wellcome!
164 | 
165 | Please provide your contributions by [branching](https://guides.github.com/introduction/flow/) master branch.
166 | 


--------------------------------------------------------------------------------
/playbooks/debug.yaml:
--------------------------------------------------------------------------------
 1 | - name: Play to debug this playbook
 2 |   hosts: localhost
 3 | 
 4 |   vars_files:
 5 |     - "{{ playbook_dir }}/../vars/ocp4-vars-vmware-upi-installer.yaml"
 6 | 
 7 |   tasks:
 8 |   - name: Print static IP configuration
 9 |     vars:
10 |       nodes: "{{ masters }}"
11 |       ignition_payload: "{{ master_ign }}"
12 |       default_gw: "{{ machineCIDR_default_gw }}"
13 |       netmask: "{{ machineCIDR_netmask }}"
14 |       nameserver: "{{ machineDNS | join(':') }}"
15 |       baseDomain: "{{ machineBaseDomain }}"
16 |       interface: "{{ machineInterface }}"
17 |     debug:
18 |       msg: "ip={{ item.ip }}::{{ default_gw }}:{{ netmask }}:{{ item.name}}.{{ baseDomain }}:{{ interface }}:none nameserver={{ nameserver }}"
19 | #    debug:
20 | #      msg: "{{ default_gw }}"
21 | #    debug:
22 | #      msg: "{{ netmask }}"
23 |     loop: "{{ nodes }}"
24 | 
25 | 


--------------------------------------------------------------------------------
/playbooks/epel-enable-playbook.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: Play to enable epel repo
 3 |   hosts: localhost
 4 |   become: yes
 5 | 
 6 |   tasks:
 7 |     - name: Assert that we are running on RedHat family system
 8 |       assert:
 9 |         that:
10 |           - "ansible_os_family == 'RedHat'"
11 | 
12 |     - name: Install EPEL repo.
13 |       yum:
14 |         name: https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm
15 |         state: present
16 | 
17 |     - name: Import EPEL GPG key.
18 |       rpm_key:
19 |         key: /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-{{ ansible_distribution_major_version }}
20 |         state: present
21 | 


--------------------------------------------------------------------------------
/playbooks/infrastructure-services-setup.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: Play to provision Infrastructure Services needed for OCP4 UPI installation
 3 |   hosts: localhost
 4 |   become: yes
 5 | 
 6 |   vars_files:
 7 |     - "{{ playbook_dir }}/../vars/ocp4-vars-vmware-upi-installer.yaml"
 8 | 
 9 |   tasks:
10 |     - name: Assert that we are running on RedHat family system
11 |       assert:
12 |         that:
13 |           - "ansible_os_family == 'RedHat'"
14 | 
15 |     - name: include task for 
16 |       include_tasks: "{{ playbook_dir }}/../tasks/infrastructure-services-dhcp.yaml"
17 | 
18 |     - name: include task for 
19 |       include_tasks: "{{ playbook_dir }}/../tasks/infrastructure-services-named.yaml"
20 | 
21 |     - name: include task for 
22 |       include_tasks: "{{ playbook_dir }}/../tasks/infrastructure-services-haproxy.yaml"
23 | 
24 |   handlers:
25 |     - import_tasks: "{{ playbook_dir }}/../tasks/infrastructure-services-handlers.yaml"
26 | 


--------------------------------------------------------------------------------
/playbooks/ocp4-playbook-boot_delay-vms.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: Play to set boot_delay for VMs of OCP cluster
 3 |   hosts: localhost
 4 |   gather_facts: no
 5 |   vars_files:
 6 |     - "{{ playbook_dir }}/../vars/ocp4-vars-vmware-upi-installer.yaml"
 7 | 
 8 |   tasks:
 9 | 
10 |     - name: include set boot_delay task for bootstrap node
11 |       include_tasks: "{{ playbook_dir }}/../tasks/ocp4-nodes-boot_delay.yaml"
12 |       vars:
13 |         nodes: "{{ bootstrap }}"
14 | 
15 |     - name: include set boot_delay task for masters node
16 |       include_tasks: "{{ playbook_dir }}/../tasks/ocp4-nodes-boot_delay.yaml"
17 |       vars:
18 |         nodes: "{{ masters }}"
19 | 
20 |     - name: include set boot_delay task for workers node
21 |       include_tasks: "{{ playbook_dir }}/../tasks/ocp4-nodes-boot_delay.yaml"
22 |       vars:
23 |         nodes: "{{ workers }}"
24 | 


--------------------------------------------------------------------------------
/playbooks/ocp4-playbook-cluster-create.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: Play to provision OCP4 cluster
 3 |   hosts: localhost
 4 |   become: yes
 5 | 
 6 |   vars_files:
 7 |     - "{{ playbook_dir }}/../vars/ocp4-vars-vmware-upi-installer.yaml"
 8 | 
 9 |   tasks:
10 |     - name: Assert that we are running on RedHat family system
11 |       assert:
12 |         that:
13 |           - "ansible_os_family == 'RedHat'"
14 |       tags: [ create_manifest ]
15 | 
16 |     - name: include task for client setup
17 |       include_tasks: "{{ playbook_dir }}/../tasks/ocp4-client-setup.yaml"
18 |       tags: [ download_client, create_manifest ]
19 | 
20 |     - name: include task for yum proxy setup
21 |       include_tasks: "{{ playbook_dir }}/../tasks/yum_set_proxy.yaml"
22 |       tags: [ create_manifest ]
23 | 
24 |     - name: include task vms for ignition config
25 |       include_tasks: "{{ playbook_dir }}/../tasks/ocp4-ignition-config.yaml"
26 |       tags: [ replaceign, create_manifest ]
27 | 
28 |     - name: Include vars for ignition files
29 |       include_vars:
30 |         file: "{{ playbook_dir }}/../vars/ocp4-vars-dynamic.yaml"
31 |       tags: vmware
32 | 
33 |     - name: include create task vms for bootstrap node
34 |       include_tasks: "{{ playbook_dir }}/../tasks/ocp4-nodes-create.yaml"
35 |       vars:
36 |         nodes: "{{ bootstrap }}"
37 |         ignition_payload: "{{ bootstrap_ign }}"
38 |         default_gw: "{{ machineCIDR_default_gw }}"
39 |         netmask: "{{ machineCIDR_netmask }}"
40 |         nameservers: "{{ machineDNS }}"
41 |       tags: vmware
42 |       when: bootstrap is defined
43 | 
44 |     - name: include create task vms for masters node
45 |       include_tasks: "{{ playbook_dir }}/../tasks/ocp4-nodes-create.yaml"
46 |       vars:
47 |         nodes: "{{ masters }}"
48 |         ignition_payload: "{{ master_ign }}"
49 |         default_gw: "{{ machineCIDR_default_gw }}"
50 |         netmask: "{{ machineCIDR_netmask }}"
51 |         nameservers: "{{ machineDNS }}"
52 |       tags: vmware
53 |       when: masters is defined
54 | 
55 |     - name: include create task vms for workers node
56 |       include_tasks: "{{ playbook_dir }}/../tasks/ocp4-nodes-create.yaml"
57 |       vars:
58 |         nodes: "{{ workers }}"
59 |         ignition_payload: "{{ worker_ign }}"
60 |         default_gw: "{{ machineCIDR_default_gw }}"
61 |         netmask: "{{ machineCIDR_netmask }}"
62 |         nameservers: "{{ machineDNS }}"
63 |       tags: vmware
64 |       when: workers is defined
65 | 
66 | 


--------------------------------------------------------------------------------
/playbooks/ocp4-playbook-disk-add.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: Play to add disks to storage_nodes
 3 |   hosts: localhost
 4 |   gather_facts: no
 5 |   vars_files:
 6 |     - "{{ playbook_dir }}/../vars/ocp4-vars-vmware-upi-installer.yaml"
 7 | 
 8 |   tasks:
 9 |     - name: include task ocp4-nodes-disks-add
10 |       include_tasks: "{{ playbook_dir }}/../tasks/ocp4-nodes-disks-add.yaml"
11 |       vars:
12 |         nodes: "{{ storage_nodes }}"
13 | 
14 | 


--------------------------------------------------------------------------------
/playbooks/ocp4-playbook-erase-vms.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: Play to erase VMs of OCP cluster
 3 |   hosts: localhost
 4 |   gather_facts: no
 5 |   vars_files:
 6 |     - "{{ playbook_dir }}/../vars/ocp4-vars-vmware-upi-installer.yaml"
 7 | 
 8 |   tasks:
 9 |     - name: include erase task vms for bootstrap node
10 |       include_tasks: "{{ playbook_dir }}/../tasks/ocp4-nodes-erase.yaml"
11 |       vars:
12 |         nodes: "{{ bootstrap }}"
13 |       tags: skip
14 |       when: bootstrap is defined
15 | 
16 |     - name: include erase task vms for masters node
17 |       include_tasks: "{{ playbook_dir }}/../tasks/ocp4-nodes-erase.yaml"
18 |       vars:
19 |         nodes: "{{ masters }}"
20 |       tags: skip
21 |       when: masters is defined
22 | 
23 |     - name: include erase task vms for workers node
24 |       include_tasks: "{{ playbook_dir }}/../tasks/ocp4-nodes-erase.yaml"
25 |       vars:
26 |         nodes: "{{ workers }}"
27 |       when: workers is defined
28 | 
29 | 


--------------------------------------------------------------------------------
/playbooks/ocp4-playbook-poweron-vms.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: Play to poweron VMs of OCP cluster
 3 |   hosts: localhost
 4 |   gather_facts: no
 5 |   vars_files:
 6 |     - "{{ playbook_dir }}/../vars/ocp4-vars-vmware-upi-installer.yaml"
 7 | 
 8 |   tasks:
 9 | 
10 |     - name: include poweron task vms for bootstrap node
11 |       include_tasks: "{{ playbook_dir }}/../tasks/ocp4-nodes-poweron.yaml"
12 |       vars:
13 |         nodes: "{{ bootstrap }}"
14 |       tags: skip
15 |       when: bootstrap is defined
16 | 
17 |     - name: include poweron task vms for masters node
18 |       include_tasks: "{{ playbook_dir }}/../tasks/ocp4-nodes-poweron.yaml"
19 |       vars:
20 |         nodes: "{{ masters }}"
21 |       tags: skip
22 |       when: masters is defined
23 | 
24 |     - name: include poweron task vms for workers node
25 |       include_tasks: "{{ playbook_dir }}/../tasks/ocp4-nodes-poweron.yaml"
26 |       vars:
27 |         nodes: "{{ workers }}"
28 |       when: workers is defined
29 | 


--------------------------------------------------------------------------------
/playbooks/ocp4-playbook-test-dns.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: Test DNS records for OCP4
 3 |   hosts:
 4 |     - localhost
 5 |   gather_facts: no
 6 |   become: yes
 7 | 
 8 |   vars_files:
 9 |     - "{{ playbook_dir }}/../vars/ocp4-vars-vmware-upi-installer.yaml"
10 | 
11 |   tasks:
12 |     - name: install dns and network utils
13 |       package:
14 |         name: "{{ item }}"
15 |         state: present
16 |       loop:
17 |         - bind-utils
18 |         - net-tools
19 |         - telnet
20 |         - curl
21 |         - wget
22 | 
23 |     - name: include task to test VIP records
24 |       include_tasks: "{{ playbook_dir }}/../tasks/ocp4-test-dns-VIPS.yaml"
25 |       vars:
26 |         record: "{{ item }}"
27 |       loop:
28 |         - api
29 |         - api-int
30 |         - "*.apps"
31 | 
32 |     - name: test bootstrap
33 |       include_tasks: "{{ playbook_dir }}/../tasks/ocp4-test-dns-nodes.yaml"
34 |       vars:
35 |         addr: "{{ item.ip }}"
36 |       loop: "{{ bootstrap }}"
37 |       tags: ocp4-test-dns-nodes
38 | 
39 |     - name: test masters
40 |       include_tasks: "{{ playbook_dir }}/../tasks/ocp4-test-dns-nodes.yaml"
41 |       vars:
42 |         addr: "{{ item.ip }}"
43 |       loop: "{{ masters }}"
44 |       tags: ocp4-test-dns-nodes
45 | 
46 |     - name: test workers
47 |       include_tasks: "{{ playbook_dir }}/../tasks/ocp4-test-dns-nodes.yaml"
48 |       vars:
49 |         addr: "{{ item.ip }}"
50 |       loop: "{{ workers }}"
51 |       tags: ocp4-test-dns-nodes
52 | 
53 | 


--------------------------------------------------------------------------------
/playbooks/ocp4-playbook-test-uri.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: Play to test required URI connection
 3 |   hosts: localhost
 4 |   gather_facts: no
 5 | 
 6 |   vars_files:
 7 |     - "{{ playbook_dir }}/../vars/ocp4-vars-proxy-whitelist.yaml"
 8 |     - "{{ playbook_dir }}/../vars/ocp4-vars-vmware-upi-installer.yaml"
 9 | 
10 |   tasks:
11 |     - name: Check that MANDATORY URI connect (GET) returns a status 200
12 |       uri:
13 |         url: "https://{{ item }}"
14 |         timeout: 5
15 |         validate_certs: no
16 |         force: yes
17 |       environment: "{{ proxy_env }}"
18 |       loop:
19 |         "{{ proxy_whitelist_mandatory }}"
20 | 
21 | 


--------------------------------------------------------------------------------
/playbooks/ocp4-playbook-vmware-prereq.yaml:
--------------------------------------------------------------------------------
 1 | ---
 2 | - name: Play to provision OCP4 cluster
 3 |   hosts: localhost
 4 | 
 5 |   vars_files:
 6 |     - "{{ playbook_dir }}/../vars/ocp4-vars-vmware-upi-installer.yaml"
 7 | 
 8 |   tasks:
 9 |     - name: install pip module to call vcenter API
10 |       pip:
11 |         name: pyvmomi
12 |         umask: "0022"
13 |       become: True
14 |       environment:
15 |         HTTP_PROXY: "{{ proxy_env.http_proxy }}"
16 |         HTTPS_PROXY: "{{ proxy_env.https_proxy }}"
17 |       when: proxy_env.http_proxy != ''
18 | 
19 |     - name: install pip module to call vcenter API
20 |       pip:
21 |         name: pyvmomi
22 |         umask: "0022"
23 |       become: True
24 |       when: proxy_env.http_proxy == ''
25 | 


--------------------------------------------------------------------------------
/tasks/infrastructure-services-dhcp.yaml:
--------------------------------------------------------------------------------
 1 | - name: install dhcp
 2 |   package:
 3 |     name: dhcp
 4 |     state: present
 5 | 
 6 | - name: configure dhcp.conf from template
 7 |   template:
 8 |     src: "{{ playbook_dir }}/../templates/dhcpd.conf.j2"
 9 |     dest: "/etc/dhcp/dhcpd.conf"
10 |   notify:
11 |     - restart dhcpd
12 | 
13 | - name: ensure dhcpd is running
14 |   service:
15 |     name: dhcpd
16 |     state: started
17 |     enabled: yes
18 | 
19 | - name: populate service facts
20 |   service_facts:
21 | 
22 | - name: Allow infrastructure services on firewall
23 |   firewalld:
24 |     service: dhcp
25 |     permanent: yes
26 |     state: enabled
27 |     immediate: yes
28 |     zone: public
29 |   when: ansible_facts.services['firewalld.service'].status == 'enabled'
30 | 
31 | 


--------------------------------------------------------------------------------
/tasks/infrastructure-services-handlers.yaml:
--------------------------------------------------------------------------------
 1 | - name: restart dhcpd
 2 |   service:
 3 |     name: dhcpd
 4 |     state: restarted
 5 | 
 6 | - name: restart named
 7 |   service:
 8 |     name: named
 9 |     state: restarted
10 | 
11 | - name: restart haproxy
12 |   service:
13 |     name: haproxy
14 |     state: restarted
15 | 
16 | 


--------------------------------------------------------------------------------
/tasks/infrastructure-services-haproxy.yaml:
--------------------------------------------------------------------------------
 1 | - name: install haproxy
 2 |   package:
 3 |     name: haproxy
 4 |     state: present
 5 | 
 6 | - name: populate service facts
 7 |   service_facts:
 8 | 
 9 | - name: Set selinux haproxy flag on and keep them persistent across reboots
10 |   seboolean:
11 |     name: haproxy_connect_any
12 |     state: yes
13 |     persistent: yes
14 |   when: ansible_selinux.status == "enabled"
15 | 
16 | - name: ensure haproxy is running
17 |   service:
18 |     name: haproxy
19 |     state: started
20 |     enabled: yes
21 | 
22 | - name: configure haproxy.cfg from template
23 |   template:
24 |     src: "{{ playbook_dir }}/../templates/haproxy.cfg.j2"
25 |     dest: "/etc/haproxy/haproxy.cfg"
26 |   notify:
27 |     - restart haproxy
28 | 
29 | - name: Allow infrastructure services on firewall
30 |   firewalld:
31 |     service: "{{ item }}"
32 |     permanent: yes
33 |     state: enabled
34 |     immediate: yes
35 |     zone: public
36 |   loop:
37 |     - http
38 |     - https
39 |   when: ansible_facts.services['firewalld.service'].status == 'enabled'
40 | 
41 | - name: Open ports for infrastructure services on firewall
42 |   firewalld:
43 |     port: "{{ item }}"
44 |     permanent: yes
45 |     state: enabled
46 |     immediate: yes
47 |     zone: public
48 |   loop:
49 |     - "5555/tcp"
50 |     - "22623/tcp"
51 |     - "6443/tcp"
52 |   when: ansible_facts.services['firewalld.service'].status == 'enabled'
53 | 
54 | 


--------------------------------------------------------------------------------
/tasks/infrastructure-services-named.yaml:
--------------------------------------------------------------------------------
 1 | - name: install bind
 2 |   package:
 3 |     name: bind
 4 |     state: present
 5 | 
 6 | - name: populate service facts
 7 |   service_facts:
 8 | 
 9 | - name: Set selinux named flag on and keep them persistent across reboots
10 |   seboolean:
11 |     name: named_write_master_zones
12 |     state: yes
13 |     persistent: yes
14 |   when: ansible_selinux.status == "enabled"
15 | 
16 | - name: configure named.conf from template
17 |   template:
18 |     src: "{{ playbook_dir }}/../templates/named.conf.j2"
19 |     dest: "/etc/named.conf"
20 |   notify:
21 |     - restart named
22 | 
23 | - name: create zones directory
24 |   file:
25 |     path: /etc/named/zones
26 |     state: directory
27 |     mode: '0755'
28 | 
29 | - name: configure named-direct-resolution.conf from template
30 |   template:
31 |     src: "{{ playbook_dir }}/../templates/named-direct-resolution.conf.j2"
32 |     dest: "/etc/named/zones/named-direct-resolution.conf"
33 |   notify:
34 |     - restart named
35 | 
36 | - name: configure named-reverse-resolution.conf from template
37 |   template:
38 |     src: "{{ playbook_dir }}/../templates/named-reverse-resolution.conf.j2"
39 |     dest: "/etc/named/zones/named-reverse-resolution.conf"
40 |   notify:
41 |     - restart named
42 | 
43 | - name: ensure named is running
44 |   service:
45 |     name: named
46 |     state: started
47 |     enabled: yes
48 | 
49 | - name: Allow infrastructure services on firewall
50 |   firewalld:
51 |     service: dns
52 |     permanent: yes
53 |     state: enabled
54 |     immediate: yes
55 |     zone: public
56 |   when: ansible_facts.services['firewalld.service'].status == 'enabled'
57 | 
58 | - name: make sure line 'dns=none' is set in /etc/NetworkManager/NetworkManager.conf
59 |   ini_file:
60 |     path: /etc/NetworkManager/NetworkManager.conf
61 |     state: present
62 |     no_extra_spaces: yes
63 |     section: main
64 |     option: dns
65 |     value: none
66 |     owner: root
67 |     group: root
68 |     mode: 0644
69 |     backup: yes
70 | 
71 | - name: configure resolv.conf
72 |   replace:
73 |     path: /etc/resolv.conf
74 |     regexp: '^(nameserver) .*$'
75 |     replace: '\1 {{ ansible_default_ipv4.address }}'
76 | 
77 | - name: reload NetworkManager
78 |   service:
79 |     name: NetworkManager
80 |     state: reloaded
81 | 


--------------------------------------------------------------------------------
/tasks/ocp4-client-setup.yaml:
--------------------------------------------------------------------------------
 1 | - name: Download openshift clients
 2 |   get_url:
 3 |     url: "{{ openshift_clients_url }}/{{ item }}"
 4 |     dest: "/tmp/{{ item }}"
 5 |   loop:
 6 |     - "{{ client_linux }}"
 7 |     - "{{ install_linux }}"
 8 |   environment: "{{ proxy_env }}"
 9 |   tags: [ download_client, create_manifest ]
10 | 
11 | - name: Extract openshift clients
12 |   unarchive:
13 |     src: "/tmp/{{ item }}"
14 |     dest: /tmp/
15 |   loop:
16 |     - "{{ client_linux }}"
17 |     - "{{ install_linux }}"
18 |   tags: [ download_client, create_manifest ]
19 | 


--------------------------------------------------------------------------------
/tasks/ocp4-httpd-ignition-provide.yaml:
--------------------------------------------------------------------------------
 1 | - name: install httpd server to host ignition
 2 |   package:
 3 |     name: httpd
 4 |     state: present
 5 | 
 6 | - name: listen on port {{ httpd_port }}
 7 |   replace:
 8 |     path: /etc/httpd/conf/httpd.conf
 9 |     regexp: '^(Listen) [0-9]*$'
10 |     replace: '\1 {{ httpd_port }}'
11 | 
12 | - name: restart httpd server
13 |   service:
14 |     name: httpd
15 |     state: restarted
16 |     enabled: yes
17 | 
18 | - name: Copy install-config.yaml file
19 |   copy:
20 |     src: "{{ work_dir }}/bootstrap.ign"
21 |     dest: "{{ document_root }}/bootstrap.ign"
22 |     force: yes
23 | 
24 | - name: populate service facts
25 |   service_facts:
26 | 
27 | - name: Open ports for infrastructure services on firewall
28 |   firewalld:
29 |     port: "{{ httpd_port }}/tcp"
30 |     permanent: yes
31 |     state: enabled
32 |     immediate: yes
33 |     zone: public
34 |   when: ansible_facts.services['firewalld.service'].status == 'enabled'
35 | 


--------------------------------------------------------------------------------
/tasks/ocp4-ignition-config.yaml:
--------------------------------------------------------------------------------
  1 | - name: Create working directory if it does not exist
  2 |   file:
  3 |     path: "{{ work_dir }}"
  4 |     state: directory
  5 |     mode: '0755'
  6 |   tags: create_manifest
  7 | 
  8 | - name: Verify if install-config already run
  9 |   stat:
 10 |     path: "{{ work_dir }}/master.ign"
 11 |   register: manifest_ign
 12 |   tags: create_manifest
 13 | 
 14 | - debug:
 15 |     msg: "{{ work_dir }} has already been initialized. Please delete it if you want to re-initialize."
 16 |   when: manifest_ign.stat.exists
 17 |   tags: create_manifest
 18 | 
 19 | - name: configure install-config
 20 |   template:
 21 |     src: "{{ playbook_dir }}/../templates/install-config.yaml.j2"
 22 |     dest: "{{ work_dir}}/install-config.yaml"
 23 |   when: manifest_ign.stat.exists == false
 24 |   tags: create_manifest
 25 | 
 26 | - name: Copy install-config.yaml file
 27 |   copy:
 28 |     src: "{{ work_dir}}/install-config.yaml"
 29 |     dest: "{{ work_dir}}/install-config.yaml.copy"
 30 |   when: manifest_ign.stat.exists == false
 31 |   tags: create_manifest
 32 | 
 33 | - name: build manifests
 34 |   shell:
 35 |     cmd: /tmp/openshift-install create manifests --dir={{ work_dir}}
 36 |     chdir: "{{ work_dir }}"
 37 |   when: manifest_ign.stat.exists == false
 38 |   tags: create_manifest
 39 | 
 40 | - name: unset mastersSchedulable
 41 |   replace:
 42 |     path: "{{ work_dir }}/manifests/cluster-scheduler-02-config.yml"
 43 |     regexp: '(mastersSchedulable:) true'
 44 |     replace: '\1 false'
 45 |   when: manifest_ign.stat.exists == false
 46 |   tags: create_manifest
 47 | 
 48 | - name: Remove manifest that define control plane machines and compute machineSets
 49 |   file:
 50 |     path: "{{ work_dir}}/{{ item }}"
 51 |     state: absent
 52 |   loop:
 53 |     - openshift/99_openshift-cluster-api_master-machines-0.yaml
 54 |     - openshift/99_openshift-cluster-api_master-machines-1.yaml
 55 |     - openshift/99_openshift-cluster-api_master-machines-2.yaml
 56 |     - openshift/99_openshift-cluster-api_worker-machineset-0.yaml
 57 |   when: manifest_ign.stat.exists == false
 58 |   tags: create_manifest
 59 | 
 60 | - name: create ignition-configs
 61 |   shell:
 62 |     cmd: /tmp/openshift-install create ignition-configs --dir={{ work_dir}}
 63 |     chdir: "{{ work_dir }}"
 64 |   when: manifest_ign.stat.exists == false
 65 | 
 66 | - name: install package to run base64 command
 67 |   package:
 68 |     name: coreutils
 69 |     state: present
 70 | 
 71 | - name: convert ignition to base64
 72 |   shell:
 73 |     cmd: base64 -w0 {{ work_dir }}/{{item}}.ign > {{ work_dir }}/{{item}}.64
 74 |   loop:
 75 |     - master
 76 |     - worker
 77 |     - bootstrap
 78 |   when: manifest_ign.stat.exists == false
 79 |   tags: replaceign
 80 | 
 81 | - name: Change permissions on generated files
 82 |   file:
 83 |     path: "{{ work_dir}}/{{ item }}"
 84 |     mode: '0644'
 85 |   loop:
 86 |     - master.ign
 87 |     - worker.ign
 88 |     - bootstrap.ign
 89 |     - metadata.json
 90 |   when: manifest_ign.stat.exists == false
 91 | 
 92 | - name: create ocp4-vars-dynamic.yaml empty var file
 93 |   template:
 94 |     src: "{{ playbook_dir }}/../templates/ocp4-vars-dynamic.yaml.j2"
 95 |     dest: "{{ playbook_dir }}/../vars/ocp4-vars-dynamic.yaml"
 96 |   tags: replaceign
 97 | 
 98 | - name: replace ignition payload in vars file
 99 |   replace:
100 |     path: "{{ playbook_dir }}/../vars/ocp4-vars-dynamic.yaml"
101 |     regexp: '^({{ placeholder }}).*$'
102 |     replace: '\1: "{{ contents }}"'
103 |   vars:
104 |     contents: "{{ lookup('file', '{{ work_dir }}/{{ item }}') }}"
105 |     placeholder: "{{ item | regex_replace('-', '_') | regex_replace('.64', '_ign') }}"
106 |   loop:
107 |     - bootstrap.64
108 |     - master.64
109 |     - worker.64
110 |   tags: replaceign
111 | 
112 | 


--------------------------------------------------------------------------------
/tasks/ocp4-nodes-boot_delay.yaml:
--------------------------------------------------------------------------------
 1 | - name: Change virtual machine's boot_delay
 2 |   vmware_guest_boot_manager:
 3 |     hostname: "{{ vcenter.hostname }}"
 4 |     username: "{{ vcenter.username }}"
 5 |     password: "{{ vcenter.password }}"
 6 |     validate_certs: no
 7 |     name: "{{ item.name }}"
 8 |     boot_delay: "{{ vm_boot_delay }}"
 9 |   loop: "{{ nodes }}"
10 |   delegate_to: localhost
11 | 


--------------------------------------------------------------------------------
/tasks/ocp4-nodes-create.yaml:
--------------------------------------------------------------------------------
  1 | - name: Create OCP node with DHCP
  2 |   vmware_guest:
  3 |     hostname: "{{ vcenter.hostname }}"
  4 |     username: "{{ vcenter.username }}"
  5 |     password: "{{ vcenter.password }}"
  6 |     datacenter: "{{ vcenter.datacenter }}"
  7 |     cluster: "{{ vcenter.cluster }}"
  8 |     validate_certs: no
  9 |     folder: "{{ vcenter.folder }}"
 10 |     name: "{{ item.name }}"
 11 |     state: poweredoff
 12 |     template: "{{ ova_template_name }}"
 13 |     disk:
 14 |     - size_gb: "{{ item.disk }}"
 15 |       type: thin
 16 |       datastore: "{{ vcenter.datastore }}"
 17 |     hardware:
 18 |       memory_mb: "{{ item.memory }}"
 19 |       num_cpus: "{{ item.cpu }}"
 20 |       memory_reservation_lock: True
 21 |       mem_limit: "{{ item.memory }}"
 22 |       mem_reservation: "{{ item.memory }}"
 23 |       hotadd_cpu: True
 24 |       hotremove_cpu: True
 25 |       hotadd_memory: False
 26 |     customvalues:
 27 |       - key: "disk.EnableUUID"
 28 |         value: "TRUE"
 29 |       - key: "guestinfo.ignition.config.data.encoding"
 30 |         value: "base64"
 31 |       - key: "guestinfo.ignition.config.data"
 32 |         value: "{{ ignition_payload }}"
 33 |     networks:
 34 |     - name: "{{ vcenter.network }}"
 35 |     wait_for_ip_address: no
 36 |   loop: "{{ nodes }}"
 37 |   delegate_to: localhost
 38 |   tags: vmware
 39 |   when: not static_ip
 40 | 
 41 | - name: Configure OCP node MAC address for DHCP
 42 |   vmware_guest_network:
 43 |     hostname: "{{ vcenter.hostname }}"
 44 |     username: "{{ vcenter.username }}"
 45 |     password: "{{ vcenter.password }}"
 46 |     datacenter: "{{ vcenter.datacenter }}"
 47 |     cluster: "{{ vcenter.cluster }}"
 48 |     validate_certs: no
 49 |     folder: "{{ vcenter.folder }}"
 50 |     name: "{{ item.name }}"
 51 |     gather_network_info: false
 52 |     networks:
 53 |     - name: "{{ vcenter.network }}"
 54 |       label: "Network adapter 1"
 55 |       state: present
 56 |       manual_mac: "{{ item.mac }}"
 57 | ## This value is required if multiple distributed portgroups exists.
 58 | #      dvswitch_name: "{{ vcenter.dvswitch_name }}"
 59 |   loop: "{{ nodes }}"
 60 |   delegate_to: localhost
 61 |   tags: vmware
 62 |   when: not static_ip
 63 | 
 64 | - name: Create OCP node with static IP
 65 |   vmware_guest:
 66 |     hostname: "{{ vcenter.hostname }}"
 67 |     username: "{{ vcenter.username }}"
 68 |     password: "{{ vcenter.password }}"
 69 |     datacenter: "{{ vcenter.datacenter }}"
 70 |     cluster: "{{ vcenter.cluster }}"
 71 |     validate_certs: no
 72 |     folder: "{{ vcenter.folder }}"
 73 |     name: "{{ item.name }}"
 74 |     state: poweredoff
 75 |     template: "{{ ova_template_name }}"
 76 |     disk:
 77 |     - size_gb: "{{ item.disk }}"
 78 |       type: thin
 79 |       datastore: "{{ vcenter.datastore }}"
 80 |     hardware:
 81 |       memory_mb: "{{ item.memory }}"
 82 |       num_cpus: "{{ item.cpu }}"
 83 |       memory_reservation_lock: True
 84 |       mem_limit: "{{ item.memory }}"
 85 |       mem_reservation: "{{ item.memory }}"
 86 |       hotadd_cpu: True
 87 |       hotremove_cpu: True
 88 |       hotadd_memory: False
 89 |     networks:
 90 |     - name: "{{ vcenter.network }}"
 91 |     customvalues:
 92 |       - key: "disk.EnableUUID"
 93 |         value: "TRUE"
 94 |       - key: "guestinfo.ignition.config.data.encoding"
 95 |         value: "base64"
 96 |       - key: "guestinfo.ignition.config.data"
 97 |         value: "{{ ignition_payload }}"
 98 |       - key: "guestinfo.afterburn.initrd.network-kargs"
 99 |         value: "ip={{ item.ip }}::{{ default_gw }}:{{ netmask }}:::none:{{ nameservers }}"
100 |     wait_for_ip_address: no
101 |   loop: "{{ nodes }}"
102 |   delegate_to: localhost
103 |   tags: vmware
104 |   when: static_ip
105 | 
106 | 


--------------------------------------------------------------------------------
/tasks/ocp4-nodes-disks-add.yaml:
--------------------------------------------------------------------------------
 1 | - name: Add disks to virtual machine
 2 |   vmware_guest_disk:
 3 |     hostname: "{{ vcenter.hostname }}"
 4 |     username: "{{ vcenter.username }}"
 5 |     password: "{{ vcenter.password }}"
 6 |     datacenter: "{{ vcenter.datacenter }}"
 7 |     validate_certs: no
 8 |     folder: "{{ vcenter.folder }}"
 9 |     name: "{{ item }}"
10 |     disk: "{{ additional_disks }}"
11 | #    - size_mb: "{{ additional_disk_size }}"
12 | #      type: thin
13 | #      datastore: "{{ vcenter.datastore }}"
14 | #      state: present
15 | #      scsi_controller: 1
16 | #      unit_number: 1
17 | #      scsi_type: 'paravirtual'
18 |   loop: "{{ nodes }}"
19 |   delegate_to: localhost
20 | 


--------------------------------------------------------------------------------
/tasks/ocp4-nodes-erase.yaml:
--------------------------------------------------------------------------------
 1 | - name: Remove a virtual machine
 2 |   vmware_guest:
 3 |     hostname: "{{ vcenter.hostname }}"
 4 |     username: "{{ vcenter.username }}"
 5 |     password: "{{ vcenter.password }}"
 6 |     datacenter: "{{ vcenter.datacenter }}"
 7 |     cluster: "{{ vcenter.cluster }}"
 8 |     validate_certs: no
 9 |     folder: "{{ vcenter.folder }}"
10 |     name: "{{ item.name }}"
11 |     state: absent
12 |     force: yes
13 |   loop: "{{ nodes }}"
14 |   delegate_to: localhost
15 | 


--------------------------------------------------------------------------------
/tasks/ocp4-nodes-poweron.yaml:
--------------------------------------------------------------------------------
 1 | - name: Power on a virtual machine
 2 |   vmware_guest:
 3 |     hostname: "{{ vcenter.hostname }}"
 4 |     username: "{{ vcenter.username }}"
 5 |     password: "{{ vcenter.password }}"
 6 |     datacenter: "{{ vcenter.datacenter }}"
 7 |     cluster: "{{ vcenter.cluster }}"
 8 |     validate_certs: no
 9 |     folder: "{{ vcenter.folder }}"
10 |     name: "{{ item.name }}"
11 |     state: poweredon
12 |     force: yes
13 |   loop: "{{ nodes }}"
14 |   delegate_to: localhost
15 | 
16 | 


--------------------------------------------------------------------------------
/tasks/ocp4-test-dns-VIPS.yaml:
--------------------------------------------------------------------------------
 1 | - name: check DNS record
 2 |   command: dig +short {{ record }}.{{ cluster_name }}.{{ base_domain }}
 3 |   register: result
 4 | 
 5 | - debug:
 6 |     msg: DNS query {{ record }}.{{ cluster_name }}.{{ base_domain }} --> {{ result.stdout }}
 7 | 
 8 | - assert:
 9 |     that:
10 |       - result.stdout is regex("[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+")
11 | 
12 | 


--------------------------------------------------------------------------------
/tasks/ocp4-test-dns-masters-etcd.yaml:
--------------------------------------------------------------------------------
 1 | - name: dig {{ prefix }}.{{ cluster_name }}.{{ base_domain }} +short
 2 |   command: dig {{ prefix }}.{{ cluster_name }}.{{ base_domain }} +short
 3 |   register: etcdx_IP
 4 | 
 5 | #- debug: { msg: "{{ etcdx_IP.stdout }}" }
 6 | 
 7 | - name: dig -x {{ etcdx_IP.stdout }} +short
 8 |   command: dig -x {{ etcdx_IP.stdout }} +short
 9 |   register: masterx
10 | 
11 | #- debug: { msg: "{{ masterx.stdout }}" }
12 | 
13 | - name: dig {{  masterx.stdout }} +short
14 |   command: dig {{ masterx.stdout }} +short
15 |   register: masterx_IP
16 | 
17 | #- debug: { msg: "{{ masterx_IP.stdout }}" }
18 | 
19 | - assert:
20 |     that:
21 |       - masterx_IP.stdout == etcdx_IP.stdout
22 | 


--------------------------------------------------------------------------------
/tasks/ocp4-test-dns-nodes.yaml:
--------------------------------------------------------------------------------
 1 | - name: dig -x {{ addr }} +short
 2 |   command: dig -x {{ addr }} +short
 3 |   register: addr_NAME
 4 |   tags: ocp4-test-dns-nodes
 5 | 
 6 | - name: dig {{ addr_NAME.stdout }} +short
 7 |   command: dig {{ addr_NAME.stdout }} +short
 8 |   register: node_IP
 9 |   tags: ocp4-test-dns-nodes
10 | 
11 | - assert:
12 |     that:
13 |       - node_IP.stdout == "{{ addr }}"
14 |     success_msg: "{{ addr_NAME.stdout }} correctly resolve to {{ addr }} and vice-versa"
15 |     fail_msg: "PROBLEM while resolving {{ addr }}"
16 |   tags: ocp4-test-dns-nodes
17 | 
18 | 


--------------------------------------------------------------------------------
/tasks/yum_set_proxy.yaml:
--------------------------------------------------------------------------------
 1 | - name: set yum proxy if needed
 2 |   lineinfile:
 3 |     path: /etc/yum.conf
 4 |     regexp: '^proxy='
 5 |     line: "proxy={{ proxy_env.http_proxy }}"
 6 |     state: present
 7 |   when: use_proxy_for_yum|bool
 8 |   tags: [ create_manifest ]
 9 | 
10 | - name: unset yum proxy if not needed
11 |   lineinfile:
12 |     path: /etc/yum.conf
13 |     regexp: '^proxy='
14 |     line: "proxy={{ proxy_env.http_proxy }}"
15 |     state: absent
16 |   when: not use_proxy_for_yum
17 |   tags: [ create_manifest ]
18 | 


--------------------------------------------------------------------------------
/templates/dhcpd.conf.j2:
--------------------------------------------------------------------------------
  1 | # dhcpd.conf
  2 | #
  3 | # Sample configuration file for ISC dhcpd
  4 | #
  5 | 
  6 | # option definitions common to all supported networks...
  7 | option domain-name "{{ base_domain }}";
  8 | option domain-name-servers ns01.{{ base_domain }};
  9 | 
 10 | default-lease-time 600;
 11 | max-lease-time 7200;
 12 | 
 13 | # Use this to enble / disable dynamic dns updates globally.
 14 | #ddns-update-style none;
 15 | 
 16 | # If this DHCP server is the official DHCP server for the local
 17 | # network, the authoritative directive should be uncommented.
 18 | #authoritative;
 19 | 
 20 | # Use this to send dhcp log messages to a different log file (you also
 21 | # have to hack syslog.conf to complete the redirection).
 22 | log-facility local7;
 23 | 
 24 | # No service will be given on this subnet, but declaring it helps the
 25 | # DHCP server to understand the network topology.
 26 | 
 27 | # This is a very basic subnet declaration
 28 | 
 29 | subnet {{ machineCIDR_first_ip }} netmask {{ machineCIDR_netmask }} {
 30 |   range {{ machineCIDR_first_three_octects }}.32 {{ machineCIDR_first_three_octects }}.63;
 31 |   option routers {{ machineCIDR_default_gw }};
 32 |   option domain-name-servers {{ ansible_default_ipv4.address }};
 33 |   option domain-name "{{ base_domain }}";
 34 | }
 35 | 
 36 | # This declaration allows BOOTP clients to get dynamic addresses,
 37 | # which we don't really recommend.
 38 | 
 39 | #subnet 10.254.239.32 netmask 255.255.255.224 {
 40 | #  range dynamic-bootp 10.254.239.40 10.254.239.60;
 41 | #  option broadcast-address 10.254.239.31;
 42 | #  option routers rtr-239-32-1.example.org;
 43 | #}
 44 | 
 45 | # A slightly different configuration for an internal subnet.
 46 | #subnet 10.5.5.0 netmask 255.255.255.224 {
 47 | #  range 10.5.5.26 10.5.5.30;
 48 | #  option domain-name-servers ns1.internal.example.org;
 49 | #  option domain-name "internal.example.org";
 50 | #  option routers 10.5.5.1;
 51 | #  option broadcast-address 10.5.5.31;
 52 | #  default-lease-time 600;
 53 | #  max-lease-time 7200;
 54 | #}
 55 | 
 56 | # Hosts which require special configuration options can be listed in
 57 | # host statements.   If no address is specified, the address will be
 58 | # allocated dynamically (if possible), but the host-specific information
 59 | # will still come from the host declaration.
 60 | 
 61 | #host passacaglia {
 62 | #  hardware ethernet 0:0:c0:5d:bd:95;
 63 | #  filename "vmunix.passacaglia";
 64 | #  server-name "toccata.fugue.com";
 65 | #}
 66 | 
 67 | # Fixed IP addresses can also be specified for hosts.   These addresses
 68 | # should not also be listed as being available for dynamic assignment.
 69 | # Hosts for which fixed IP addresses have been specified can boot using
 70 | # BOOTP or DHCP.   Hosts for which no fixed address is specified can only
 71 | # be booted with DHCP, unless there is an address range on the subnet
 72 | # to which a BOOTP client is connected which has the dynamic-bootp flag
 73 | # set.
 74 | 
 75 | host bootstrap {
 76 |   hardware ethernet {{ bootstrap[0].mac }};
 77 |   fixed-address {{ bootstrap[0].ip }};
 78 |   option host-name "{{ bootstrap[0].name }}.{{ base_domain }}";
 79 |   option routers {{ machineCIDR_default_gw }};
 80 |   option domain-name-servers {{ ansible_default_ipv4.address }};
 81 | }
 82 | 
 83 | host masters01 {
 84 |   hardware ethernet {{ masters[0].mac }};
 85 |   fixed-address {{ masters[0].ip }};
 86 |   option host-name "{{ masters[0].name }}.{{ base_domain }}";
 87 |   option routers {{ machineCIDR_default_gw }};
 88 |   option domain-name-servers {{ ansible_default_ipv4.address }};
 89 | }
 90 | 
 91 | host masters02 {
 92 |   hardware ethernet {{ masters[1].mac }};
 93 |   fixed-address {{ masters[1].ip }};
 94 |   option host-name "{{ masters[1].name }}.{{ base_domain }}";
 95 |   option routers {{ machineCIDR_default_gw }};
 96 |   option domain-name-servers {{ ansible_default_ipv4.address }};
 97 | }
 98 | 
 99 | host masters03 {
100 |   hardware ethernet {{ masters[2].mac }};
101 |   fixed-address {{ masters[2].ip }};
102 |   option host-name "{{ masters[2].name }}.{{ base_domain }}";
103 |   option routers {{ machineCIDR_default_gw }};
104 |   option domain-name-servers {{ ansible_default_ipv4.address }};
105 | }
106 | 
107 | host workers01 {
108 |   hardware ethernet {{ workers[0].mac }};
109 |   fixed-address {{ workers[0].ip }};
110 |   option host-name "{{ workers[0].name }}.{{ base_domain }}";
111 |   option routers {{ machineCIDR_default_gw }};
112 |   option domain-name-servers {{ ansible_default_ipv4.address }};
113 | }
114 | 
115 | host workers02 {
116 |   hardware ethernet {{ workers[1].mac }};
117 |   fixed-address {{ workers[1].ip }};
118 |   option host-name "{{ workers[1].name }}.{{ base_domain }}";
119 |   option routers {{ machineCIDR_default_gw }};
120 |   option domain-name-servers {{ ansible_default_ipv4.address }};
121 | }
122 | 
123 | 


--------------------------------------------------------------------------------
/templates/haproxy.cfg.j2:
--------------------------------------------------------------------------------
  1 | #---------------------------------------------------------------------
  2 | # Example configuration for a possible web application.  See the
  3 | # full configuration options online.
  4 | #
  5 | #   http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
  6 | #
  7 | #---------------------------------------------------------------------
  8 | 
  9 | #---------------------------------------------------------------------
 10 | # Global settings
 11 | #---------------------------------------------------------------------
 12 | global
 13 |     # to have these messages end up in /var/log/haproxy.log you will
 14 |     # need to:
 15 |     #
 16 |     # 1) configure syslog to accept network log events.  This is done
 17 |     #    by adding the '-r' option to the SYSLOGD_OPTIONS in
 18 |     #    /etc/sysconfig/syslog
 19 |     #
 20 |     # 2) configure local2 events to go to the /var/log/haproxy.log
 21 |     #   file. A line like the following can be added to
 22 |     #   /etc/sysconfig/syslog
 23 |     #
 24 |     #    local2.*                       /var/log/haproxy.log
 25 |     #
 26 |     log         127.0.0.1 local2
 27 | 
 28 |     chroot      /var/lib/haproxy
 29 |     pidfile     /var/run/haproxy.pid
 30 |     maxconn     4000
 31 |     user        haproxy
 32 |     group       haproxy
 33 |     daemon
 34 | 
 35 |     # turn on stats unix socket
 36 |     stats socket /var/lib/haproxy/stats
 37 | 
 38 | #---------------------------------------------------------------------
 39 | # common defaults that all the 'listen' and 'backend' sections will
 40 | # use if not designated in their block
 41 | #---------------------------------------------------------------------
 42 | defaults
 43 |     mode                    http
 44 |     log                     global
 45 |     option                  httplog
 46 |     option                  dontlognull
 47 |     option http-server-close
 48 |     option forwardfor       except 127.0.0.0/8
 49 |     option                  redispatch
 50 |     retries                 3
 51 |     timeout http-request    10s
 52 |     timeout queue           1m
 53 |     timeout connect         10s
 54 |     timeout client          1m
 55 |     timeout server          1m
 56 |     timeout http-keep-alive 10s
 57 |     timeout check           10s
 58 |     maxconn                 3000
 59 | 
 60 | listen stats # Define a listen section called "stats"
 61 |   bind :5555 # Listen on localhost:9000
 62 |   mode http
 63 |   stats enable  # Enable stats page
 64 |   stats realm Haproxy\ Statistics  # Title text for popup window
 65 |   stats uri /haproxy_stats  # Stats URI
 66 | 
 67 | #---------------------------------------------------------------------
 68 | # OCP4
 69 | #---------------------------------------------------------------------
 70 | frontend openshift-api-server
 71 |     bind {{ ansible_default_ipv4.address }}:6443
 72 |     default_backend openshift-api-server
 73 |     mode tcp
 74 |     option tcplog
 75 | 
 76 | backend openshift-api-server
 77 |     balance source
 78 |     mode tcp
 79 |     server bootstrap {{ bootstrap[0].ip }}:6443 check
 80 |     server master01  {{ masters[0].ip }}:6443 check
 81 |     server master02  {{ masters[1].ip }}:6443 check
 82 |     server master03  {{ masters[2].ip }}:6443 check
 83 | 
 84 | frontend machine-config-server
 85 |     bind {{ ansible_default_ipv4.address }}:22623
 86 |     default_backend machine-config-server
 87 |     mode tcp
 88 |     option tcplog
 89 | 
 90 | backend machine-config-server
 91 |     balance source
 92 |     mode tcp
 93 |     server bootstrap {{ bootstrap[0].ip }}:22623 check
 94 |     server master01  {{ masters[0].ip }}:22623 check
 95 |     server master02  {{ masters[1].ip }}:22623 check
 96 |     server master03  {{ masters[2].ip }}:22623 check
 97 | 
 98 | frontend ingress-http
 99 |     bind {{ ansible_default_ipv4.address }}:80
100 |     default_backend ingress-http
101 |     mode tcp
102 |     option tcplog
103 | 
104 | backend ingress-http
105 |     balance source
106 |     mode tcp
107 |     server {{ workers[0].name }}  {{ workers[0].ip }}:80 check
108 |     server {{ workers[1].name }}  {{ workers[1].ip }}:80 check
109 | 
110 | frontend ingress-https
111 |     bind {{ ansible_default_ipv4.address }}:443
112 |     default_backend ingress-https
113 |     mode tcp
114 |     option tcplog
115 | 
116 | backend ingress-https
117 |     balance source
118 |     mode tcp
119 |     server {{ workers[0].name }}  {{ workers[0].ip }}:443 check
120 |     server {{ workers[1].name }}  {{ workers[1].ip }}:443 check
121 | 
122 | 


--------------------------------------------------------------------------------
/templates/install-config.yaml.j2:
--------------------------------------------------------------------------------
 1 | apiVersion: v1
 2 | baseDomain: {{ base_domain }}
 3 | {% if proxy_env.http_proxy %}
 4 | proxy:
 5 |   httpProxy: "{{ proxy_env.http_proxy }}"
 6 |   httpsProxy: "{{ proxy_env.https_proxy }}"
 7 |   noProxy: "{{ proxy_env.no_proxy }}"
 8 | {% endif %}
 9 | compute:
10 | - hyperthreading: Enabled
11 |   name: worker
12 |   replicas: 0
13 | controlPlane:
14 |   hyperthreading: Enabled
15 |   name: master
16 |   replicas: 3
17 | metadata:
18 |   name: {{ cluster_name }}
19 | platform:
20 |   vsphere:
21 |     vcenter: '{{ vcenter.hostname }}'
22 |     username: '{{ vcenter.username }}'
23 |     password: '{{ vcenter.password }}'
24 |     datacenter: '{{ vcenter.datacenter }}'
25 |     defaultDatastore: '{{ vcenter.datastore }}'
26 |     folder: '{{ vcenter.folder }}'
27 | fips: false
28 | networking:
29 |   networkType: {{ openshift.networkType }}
30 | {% if openshift.machineCIDR %}
31 |   machineCIDR: {{ openshift.machineCIDR }}
32 | {% endif %}
33 |   clusterNetworks:
34 |   - cidr: {{ openshift.clusterNetwork.cidr }}
35 |     hostPrefix: {{ openshift.clusterNetwork.hostPrefix}}
36 |   serviceNetwork:
37 |   - {{ openshift.serviceNetwork }}
38 | pullSecret: '{{ pull_secret }}'
39 | sshKey: '{{ ssh_key }}'
40 | 
41 | 


--------------------------------------------------------------------------------
/templates/named-direct-resolution.conf.j2:
--------------------------------------------------------------------------------
 1 | $TTL 300                ; 5 minutes
 2 | @       IN      SOA     ns01.{{ base_domain }}. admin.{{ base_domain }}. (
 3 |                   4     ; Serial
 4 |                   0     ; Refresh
 5 |                 300     ; Retry
 6 |                   0     ; Expire
 7 |                 300 )   ; Negative Cache TTL
 8 | 
 9 | ; name servers - NS records
10 | @                     IN     NS    ns01.{{ base_domain }}.
11 | ; name servers - A records
12 | ns01.{{ base_domain }}.      IN     A     {{ ansible_default_ipv4.address }}
13 | 
14 | ; All other A records
15 | ;bastion.{{ base_domain }}.   IN     A     {{ ansible_default_ipv4.address }}
16 | 
17 | {{ bootstrap[0].name }}             IN     A     {{ bootstrap[0].ip }}
18 | {{ masters[0].name }}             IN     A     {{ masters[0].ip }}
19 | {{ masters[1].name }}             IN     A     {{ masters[1].ip }}
20 | {{ masters[2].name }}             IN     A     {{ masters[2].ip }}
21 | {{ workers[0].name }}             IN     A     {{ workers[0].ip }}
22 | {{ workers[1].name }}             IN     A     {{ workers[1].ip }}
23 | 
24 | $ORIGIN {{ cluster_name }}.{{ base_domain }}.
25 | api                   IN     A     {{ ansible_default_ipv4.address }}
26 | api-int               IN     A     {{ ansible_default_ipv4.address }}
27 | etcd-0                IN     A     {{ masters[0].ip }}
28 | etcd-1                IN     A     {{ masters[1].ip }}
29 | etcd-2                IN     A     {{ masters[2].ip }}
30 | 
31 | _etcd-server-ssl._tcp SRV 0 10 2380 etcd-0
32 | _etcd-server-ssl._tcp SRV 0 10 2380 etcd-1
33 | _etcd-server-ssl._tcp SRV 0 10 2380 etcd-2
34 | 
35 | $ORIGIN apps.{{ cluster_name }}.{{ base_domain }}.
36 | *                     IN     A     {{ ansible_default_ipv4.address }}
37 | 
38 | 


--------------------------------------------------------------------------------
/templates/named-reverse-resolution.conf.j2:
--------------------------------------------------------------------------------
 1 | $ORIGIN {{ machineCIDR_first_three_octects_reverse }}.in-addr.arpa.
 2 | $TTL 86400              ; 1 day
 3 | @       IN      SOA     ns01.{{ base_domain }}. admin.{{ base_domain }}. (
 4 |                   2     ; Serial
 5 |                7200     ; refresh (2 hous)
 6 |                7200     ; retry (2 hours)
 7 |             2419200     ; expire (5 weeks 6 days 16 hours)
 8 |               86400 )   ; minimum (1 day)
 9 | 
10 | {{ machineCIDR_first_three_octects_reverse }}.in-addr.arpa. IN NS ns01.{{ base_domain }}.
11 | 
12 | {{ ansible_default_ipv4.address | regex_replace('^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.([0-9]{1,3})$', '\\1') }}      IN     PTR     ns01.{{ base_domain }}.
13 | 
14 | {{ bootstrap[0].ip | regex_replace('^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.([0-9]{1,3})$', '\\1') }}     IN     PTR     {{ bootstrap[0].name }}.{{ base_domain }}.
15 | {{ masters[0].ip | regex_replace('^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.([0-9]{1,3})$', '\\1') }}     IN     PTR     {{ masters[0].name }}.{{ base_domain }}.
16 | {{ masters[1].ip | regex_replace('^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.([0-9]{1,3})$', '\\1') }}     IN     PTR     {{ masters[1].name }}.{{ base_domain }}.
17 | {{ masters[2].ip | regex_replace('^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.([0-9]{1,3})$', '\\1') }}     IN     PTR     {{ masters[2].name }}.{{ base_domain }}.
18 | {{ workers[0].ip | regex_replace('^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.([0-9]{1,3})$', '\\1') }}     IN     PTR     {{ workers[0].name }}.{{ base_domain }}.
19 | {{ workers[1].ip | regex_replace('^[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.([0-9]{1,3})$', '\\1') }}     IN     PTR     {{ workers[1].name }}.{{ base_domain }}.
20 | 


--------------------------------------------------------------------------------
/templates/named.conf.j2:
--------------------------------------------------------------------------------
 1 | //
 2 | // named.conf
 3 | //
 4 | // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
 5 | // server as a caching only nameserver (as a localhost DNS resolver only).
 6 | //
 7 | // See /usr/share/doc/bind*/sample/ for example named configuration files.
 8 | //
 9 | // See the BIND Administrator's Reference Manual (ARM) for details about the
10 | // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
11 | 
12 | options {
13 | 	listen-on-v6 port 53 { ::1; };
14 | 	directory 	"/var/named";
15 | 	dump-file 	"/var/named/data/cache_dump.db";
16 | 	statistics-file "/var/named/data/named_stats.txt";
17 | 	memstatistics-file "/var/named/data/named_mem_stats.txt";
18 | 	recursing-file  "/var/named/data/named.recursing";
19 | 	secroots-file   "/var/named/data/named.secroots";
20 | 	allow-query     { any; };
21 | 
22 | 	/*
23 | 	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
24 | 	 - If you are building a RECURSIVE (caching) DNS server, you need to enable
25 | 	   recursion.
26 | 	 - If your recursive DNS server has a public IP address, you MUST enable access
27 | 	   control to limit queries to your legitimate users. Failing to do so will
28 | 	   cause your server to become part of large scale DNS amplification
29 | 	   attacks. Implementing BCP38 within your network would greatly
30 | 	   reduce such attack surface
31 | 	*/
32 | 	recursion yes;
33 | 
34 | 	dnssec-enable no;
35 | 	dnssec-validation no;
36 | 
37 | 	/* Path to ISC DLV key */
38 | 	bindkeys-file "/etc/named.root.key";
39 | 
40 | 	managed-keys-directory "/var/named/dynamic";
41 | 
42 | 	pid-file "/run/named/named.pid";
43 | 	session-keyfile "/run/named/session.key";
44 | 
45 |         # Setup Google's dns as forwarders
46 |         forwarders {
47 |                 {{ dns_forwarder }};
48 |         };
49 | };
50 | 
51 | logging {
52 |         channel default_debug {
53 |                 file "data/named.run";
54 |                 severity dynamic;
55 |         };
56 | };
57 | 
58 | zone "." IN {
59 | 	type hint;
60 | 	file "named.ca";
61 | };
62 | 
63 | include "/etc/named.rfc1912.zones";
64 | include "/etc/named.root.key";
65 | 
66 | zone "{{ base_domain }}" {
67 |     type master;
68 |     file "/etc/named/zones/named-direct-resolution.conf";
69 | };
70 | 
71 | zone "{{ machineCIDR_first_three_octects_reverse }}.in-addr.arpa" in {
72 |         type master;
73 |         file "/etc/named/zones/named-reverse-resolution.conf";
74 | };
75 | 
76 | 


--------------------------------------------------------------------------------
/templates/ocp4-vars-dynamic.yaml.j2:
--------------------------------------------------------------------------------
1 | 
2 | ## DO NOT MODIFY THIS FILE BY HAND - IT IS MANAGED BY THE PLAYBOOK
3 | 
4 | master_ign: ""
5 | 
6 | worker_ign: ""
7 | 
8 | bootstrap_ign: ""
9 | 


--------------------------------------------------------------------------------
/vars/ocp4-vars-proxy-whitelist.yaml:
--------------------------------------------------------------------------------
 1 | ### List of pre-requisites URI to install OCP4
 2 | 
 3 | proxy_whitelist_mandatory:
 4 |   - registry.redhat.io
 5 |   - quay.io
 6 |   - sso.redhat.com
 7 |   - openshift.org
 8 |   - cert-api.access.redhat.com
 9 |   - api.access.redhat.com
10 |   - infogw.api.openshift.com
11 |   - cloud.redhat.com
12 |   - mirror.openshift.com
13 |   - api.openshift.com
14 |   - registry.access.redhat.com
15 | 


--------------------------------------------------------------------------------
/vars/ocp4-vars-vmware-upi-installer.yaml:
--------------------------------------------------------------------------------
  1 | ---
  2 | ############## General variables to set working environment - BEGIN
  3 | # Directory to store openshift installation files:
  4 | work_dir: "/tmp/openshift-install-{{ lookup('pipe','date +%Y%m%d') }}"
  5 | ocp_version: 4.7.16
  6 | openshift_clients_url: "https://mirror.openshift.com/pub/openshift-v4/clients/ocp/{{ ocp_version }}"
  7 | client_linux: "openshift-client-linux-{{ ocp_version }}.tar.gz"
  8 | install_linux: "openshift-install-linux-{{ ocp_version }}.tar.gz"
  9 | # httpd server port to provide ignition file (SElinux compatible):
 10 | httpd_port: 8008
 11 | document_root: "/var/www/html"
 12 | # Proxy must be in the form: http://<address>:<port> - Add vCenter address within noproxy variable if required:
 13 | proxy_env:
 14 |   http_proxy: 'http://192.168.103.1:3128'
 15 |   https_proxy: 'http://192.168.103.1:3128'
 16 |   no_proxy: '.apps.lab03.gpslab.club,.ipa.gpslab.club,.lab03.gpslab.club'
 17 | #  http_proxy: ''
 18 | #  https_proxy: ''
 19 | #  no_proxy: ''
 20 | use_proxy_for_yum: no
 21 | 
 22 | ############## General variables to set working environment - END
 23 | 
 24 | ############## VMware vCenter variables - BEGIN
 25 | vcenter:
 26 |   hostname: "deathstar.ipa.gpslab.club"
 27 |   username: "vmware_sa"
 28 |   password: "pest-mary-carry"
 29 |   datacenter: "gpslab"
 30 |   cluster: "clu01"
 31 |   datastore: "vsanDatastore"
 32 |   network: "lab03"
 33 |   folder: "/gpslab/vm/lab03"
 34 | # Variable required if multiple distributed portgroups exists:
 35 | #  dvswitch_name: ""
 36 | ova_template_name: '/gpslab/vm/Templates/rhcos-4.7.13'
 37 | vm_boot_delay: 10000
 38 | ############## VMware vCenter variables - END
 39 | 
 40 | ################## Parameters used for install-config.yaml file - BEGIN
 41 | # base_domain of ocp4 cluster and cluster_name: 
 42 | base_domain: "gpslab.club"
 43 | cluster_name: "lab03"
 44 | 
 45 | openshift:
 46 |   networkType: "OpenShiftSDN"
 47 |   clusterNetwork:
 48 |     cidr: "10.128.0.0/14"
 49 |     hostPrefix: "23"
 50 |   serviceNetwork: "172.30.0.0/16"
 51 |   machineCIDR: "192.168.103.0/24"
 52 | 
 53 | pull_secret: '{"auths":{"cloud.openshift.com":{"auth":"b3BlbnNoaWZ0LXJlbGVhc2UtZGV2K21iZXR0aXJobjFpbThreGwzNWpjZ3E3YmJrZWN2Y3g5bHp6cjpKUjQxQTlUSklHQVVZVVoxMVBPR1dPSTdDSzE4VDQ2SENYSElSQUtHQ0Q1MFI3SFZaU0M2RTE5R081V1FOSkxF","email":"mbetti@redhat.com"},"quay.io":{"auth":"b3BlbnNoaWZ0LXJlbGVhc2UtZGV2K21iZXR0aXJobjFpbThreGwzNWpjZ3E3YmJrZWN2Y3g5bHp6cjpKUjQxQTlUSklHQVVZVVoxMVBPR1dPSTdDSzE4VDQ2SENYSElSQUtHQ0Q1MFI3SFZaU0M2RTE5R081V1FOSkxF","email":"mbetti@redhat.com"},"registry.connect.redhat.com":{"auth":"NTIzNTA5MjF8dWhjLTFJTThLWGwzNWpjR1E3YkJrRWN2Q3g5bHpaUjpleUpoYkdjaU9pSlNVelV4TWlKOS5leUp6ZFdJaU9pSmlOakUxWlRrME1ESmlZVGcwWm1Vek9UUmtNRGRrWVRkaE5ETXlaVGd3WlNKOS5YMkxONnBQUWJhR2lFWHo0SENXTVl6eWtrOUhjSXRWSEFPXzN1eXhyMVB0VExkY2dROWRyX2J6YVNmaGZJb1Vua3g2NE5Xa1Y5MnNXNkFPVDNpRE5IQUlJMmVkaDZLX3ZHRlZBeS1ETzBCWEl3SEZtUmpjYnl1UEdRTnI1aW9EWldxME1LRWZlQzVvM2VncGQyVEFtbl9MVWFQalZEeWN0eVZhU01qSEhBVXlwdnh4MmZsSE9ObERLTUxGbzJRcmRlUGNwcVhYa1hOWXh1TXEtT3hoNzVpT0N4VXVzUFlXbDIwVkZZcWJzVXdtVkh3YzR1dGJ2T2N3b0ViYlh5dlNYSVVpUjhTNExHUWszd3dwd2QtT2F2RjNDYkhlNHBJSjVzVFQ1ei1wVDlObmhOWm01S2xZdHlDaTJYMGtFMnVhMzA0cFBEamVQM1hyUkp0azFUeTlFU0d4MU1oMTRKWnFQMEc4anpCdGtBMG8xVERvLTd3aEhXR3FfZzFFUUhJVGhNZTM5M3dQRjJPamprSmstUXNheTMyN1h1TnI4ZFdXbzR6NHoyRXEzb0tuX09NUjB2NjJwSElvbWViYnUyYi0tZzZzdWtTamNtRlluWlB5WXU1aE81NV90eGxvVU1MZGNBbVU4eEFnc1BhSWFBOFlUUlZXUWlvVnpkWkx2TzcwaXh4QnJaOGd3M2d1Z0tVeW15U3k1M3FFTGduRHhzYTJnYk9lUmtnZ3oyeXZQSzlUY2ItQ0tGc0ZZYXlIaG5LQmY5eDlRNmFVQThZX2VSb0NHb3RwQVVKbTItNk9rdFo2emRqUzhSVDF3SVRZWmp3STUtX2E5Y1h4VlJYc3ZKMktfZDZYa19PTzZkM29uNV9wM1ZBWnBqaTRyRExfcVNLc29QSWRGdnVXTHBTRQ==","email":"mbetti@redhat.com"},"registry.redhat.io":{"auth":"NTIzNTA5MjF8dWhjLTFJTThLWGwzNWpjR1E3YkJrRWN2Q3g5bHpaUjpleUpoYkdjaU9pSlNVelV4TWlKOS5leUp6ZFdJaU9pSmlOakUxWlRrME1ESmlZVGcwWm1Vek9UUmtNRGRrWVRkaE5ETXlaVGd3WlNKOS5YMkxONnBQUWJhR2lFWHo0SENXTVl6eWtrOUhjSXRWSEFPXzN1eXhyMVB0VExkY2dROWRyX2J6YVNmaGZJb1Vua3g2NE5Xa1Y5MnNXNkFPVDNpRE5IQUlJMmVkaDZLX3ZHRlZBeS1ETzBCWEl3SEZtUmpjYnl1UEdRTnI1aW9EWldxME1LRWZlQzVvM2VncGQyVEFtbl9MVWFQalZEeWN0eVZhU01qSEhBVXlwdnh4MmZsSE9ObERLTUxGbzJRcmRlUGNwcVhYa1hOWXh1TXEtT3hoNzVpT0N4VXVzUFlXbDIwVkZZcWJzVXdtVkh3YzR1dGJ2T2N3b0ViYlh5dlNYSVVpUjhTNExHUWszd3dwd2QtT2F2RjNDYkhlNHBJSjVzVFQ1ei1wVDlObmhOWm01S2xZdHlDaTJYMGtFMnVhMzA0cFBEamVQM1hyUkp0azFUeTlFU0d4MU1oMTRKWnFQMEc4anpCdGtBMG8xVERvLTd3aEhXR3FfZzFFUUhJVGhNZTM5M3dQRjJPamprSmstUXNheTMyN1h1TnI4ZFdXbzR6NHoyRXEzb0tuX09NUjB2NjJwSElvbWViYnUyYi0tZzZzdWtTamNtRlluWlB5WXU1aE81NV90eGxvVU1MZGNBbVU4eEFnc1BhSWFBOFlUUlZXUWlvVnpkWkx2TzcwaXh4QnJaOGd3M2d1Z0tVeW15U3k1M3FFTGduRHhzYTJnYk9lUmtnZ3oyeXZQSzlUY2ItQ0tGc0ZZYXlIaG5LQmY5eDlRNmFVQThZX2VSb0NHb3RwQVVKbTItNk9rdFo2emRqUzhSVDF3SVRZWmp3STUtX2E5Y1h4VlJYc3ZKMktfZDZYa19PTzZkM29uNV9wM1ZBWnBqaTRyRExfcVNLc29QSWRGdnVXTHBTRQ==","email":"mbetti@redhat.com"}}}'
 54 | 
 55 | ssh_key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDqmlrowTqJRz0HkVW4ckWbB4lSreYnqUZfjVbj6I+5jTRqs6cP6olbVr3PNu1DyBGKXxOS6kCDYXxnJ+ZP98AcL9oIEjnJoGSY2Vdkix4S1SdKXuOKzMc8GJe11e/i6VBDg52mMIcjeWSVWIHA9gNsrdsKjcV6fHgjjZZ4rOjRrsfItV8Um4BKpofXugCA2Eq14nmjfSnHQUHH29GBedG7XjaV3USKJ4zSUWm/lgHipNi4QLr0e0unsOah/0yHDuyg6Yp0FeRAFuroP4rD1og9zmwSiOkgxFXlWgAmAqK8kJL8fvNSfIcLBju2h5SHFlPHrEehJqtEd8fco6Hq+FKL mbetti@bastion.lab03.ipa.gpslab.club'
 56 | 
 57 | bootstrap_ignition_config_url: "http://{{ ansible_default_ipv4.address }}:{{ httpd_port }}/bootstrap.ign"
 58 | ################## Parameters used for install-config.yaml file - END
 59 | 
 60 | #######################  Variables for DNS & DHCP server setup - BEGIN
 61 | machineCIDR_netmask: "255.255.255.0"
 62 | machineCIDR_first_ip: "{{ openshift.machineCIDR | regex_replace('^([0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})/[0-9]{1,2}', '\\1') }}"
 63 | machineCIDR_first_three_octects: "{{ machineCIDR_first_ip | regex_replace('^([0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})\\.[0-9]{1,3}$', '\\1') }}"
 64 | machineCIDR_first_three_octects_reverse: "{{ machineCIDR_first_three_octects | regex_replace('^([0-9]{1,3})\\.([0-9]{1,3})\\.([0-9]{1,3})$', '\\3.\\2.\\1') }}"
 65 | # usually default GW is the first or the last address of the range:
 66 | machineCIDR_default_gw: "{{ machineCIDR_first_three_octects }}.1"
 67 | # this should be set to corporate DNS
 68 | dns_forwarder: "8.8.8.8"
 69 | machineDNS: "{{machineCIDR_default_gw}}"
 70 | machineBaseDomain: "lab03.ipa.gpslab.club"
 71 | machineInterface: "ens192"
 72 | #######################  Variables below for DNS & DHCP server setup - END
 73 | 
 74 | ################## OpenShift Nodes details to provision VMs on vmware vCenter - BEGIN
 75 | # 'ip' attribute is used to test correct DNS configuration and to setup DHCP & DNS if required.
 76 | # 'mac_range_start' and 'mac' attributes must be changed according to corporate rules, within VMware MAC range.
 77 | # Minimum setup consists of one bootstrap, three masters and two workers.
 78 | # More workers can be added by adding more lines in 'workers:' list. PLEASE MODIFY named and dhcpd templates ACCORDINGLY if DHCP & DNS setup is required.
 79 | mac_range_start: 00:50:56:00:22
 80 | static_ip: true
 81 | 
 82 | bootstrap:
 83 | - { name: "bootstrap.lab03", mac: "{{ mac_range_start }}:00", ip: "{{ machineCIDR_first_three_octects }}.60", disk: "120", memory: "16000", cpu: "4" }
 84 | 
 85 | masters:
 86 | - { name: "master1.lab03", mac: "{{ mac_range_start }}:01", ip: "{{ machineCIDR_first_three_octects }}.61", disk: "120", memory: "16000", cpu: "4" }
 87 | - { name: "master2.lab03", mac: "{{ mac_range_start }}:02", ip: "{{ machineCIDR_first_three_octects }}.62", disk: "120", memory: "16000", cpu: "4" }
 88 | - { name: "master3.lab03", mac: "{{ mac_range_start }}:03", ip: "{{ machineCIDR_first_three_octects }}.63", disk: "120", memory: "16000", cpu: "4" }
 89 | 
 90 | workers:
 91 | - { name: "worker1.lab03", mac: "{{ mac_range_start }}:04", ip: "{{ machineCIDR_first_three_octects }}.64", disk: "120", memory: "32000", cpu: "8" }
 92 | - { name: "worker2.lab03", mac: "{{ mac_range_start }}:05", ip: "{{ machineCIDR_first_three_octects }}.65", disk: "120", memory: "32000", cpu: "8" }
 93 | - { name: "worker3.lab03", mac: "{{ mac_range_start }}:06", ip: "{{ machineCIDR_first_three_octects }}.66", disk: "120", memory: "32000", cpu: "8" }
 94 | #- { name: "worker4.lab03", mac: "{{ mac_range_start }}:07", ip: "{{ machineCIDR_first_three_octects }}.67", disk: "120", memory: "16000", cpu: "4" }
 95 | #- { name: "worker5.lab03", mac: "{{ mac_range_start }}:08", ip: "{{ machineCIDR_first_three_octects }}.68", disk: "120", memory: "16000", cpu: "4" }
 96 | #- { name: "worker6.lab03", mac: "{{ mac_range_start }}:09", ip: "{{ machineCIDR_first_three_octects }}.69", disk: "120", memory: "8000", cpu: "4" }
 97 | #- { name: "worker7.lab03", mac: "{{ mac_range_start }}:10", ip: "{{ machineCIDR_first_three_octects }}.70", disk: "120", memory: "48000", cpu: "12" }
 98 | #- { name: "worker8.lab03", mac: "{{ mac_range_start }}:11", ip: "{{ machineCIDR_first_three_octects }}.71", disk: "120", memory: "48000", cpu: "12" }
 99 | #- { name: "worker9.lab03", mac: "{{ mac_range_start }}:12", ip: "{{ machineCIDR_first_three_octects }}.72", disk: "120", memory: "48000", cpu: "12" }
100 | ################## OpenShift Nodes details to provision VMs on vmware vCenter - EN
101 | 
102 | storage_nodes:
103 | - "worker1.lab03"
104 | - "worker2.lab03"
105 | - "worker3.lab03"
106 | 
107 | additional_disks:
108 |   - size_gb: "2000"
109 |     type: thin
110 |     datastore: "{{ vcenter.datastore }}"
111 |     state: present
112 |     scsi_controller: 1
113 |     unit_number: 1
114 |     scsi_type: 'paravirtual'
115 | #  - size_gb: "2000"
116 | #    type: thin
117 | #    datastore: "{{ vcenter.datastore }}"
118 | #    state: present
119 | #    scsi_controller: 1
120 | #    unit_number: 2
121 | #    scsi_type: 'paravirtual'
122 | #  - size_gb: "2000"
123 | #    type: thin
124 | #    datastore: "{{ vcenter.datastore }}"
125 | #    state: present
126 | #    scsi_controller: 1
127 | #    unit_number: 3
128 | #    scsi_type: 'paravirtual'
129 | #
130 | 


--------------------------------------------------------------------------------