├── .gitignore
├── LICENSE
├── README.md
├── auto_deploy.sh
├── collections
└── requirements.yml
├── deploy_all.yml
├── deploy_day2ops.yml
├── deploy_only.yml
├── deploy_only_acs.yml
├── deploy_only_argocd.yml
├── deploy_only_cmanager.yml
├── deploy_only_infra.yml
├── deploy_only_logging.yml
├── deploy_only_monitoring.yml
├── deploy_only_oauth.yml
├── deploy_only_project_request_template.yml
├── deploy_only_registry.yml
├── deploy_only_workers.yml
├── examples
├── vars.yml
├── vars_all.yml
├── vars_argocd.yml
├── vars_day2ops.yml
└── vault.yml
├── group_vars
└── all
├── images
└── Dockerfile
├── pics
├── tower1.png
├── tower2.png
├── tower3.png
├── tower4.jpg
└── wf1.png
├── requirements.txt
├── roles
├── README.md
├── awscli
│ ├── README.md
│ ├── defaults
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ ├── meta
│ │ └── main.yml
│ ├── tasks
│ │ ├── download.yml
│ │ ├── install.yml
│ │ └── main.yml
│ ├── templates
│ │ └── credentials.j2
│ └── vars
│ │ └── main.yml
├── common
│ ├── .travis.yml
│ ├── README.md
│ ├── defaults
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ ├── meta
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ ├── tests
│ │ ├── inventory
│ │ └── test.yml
│ └── vars
│ │ └── main.yml
├── ocp4-install
│ ├── README.md
│ ├── defaults
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ ├── meta
│ │ └── main.yml
│ ├── tasks
│ │ ├── create_config.yml
│ │ ├── download.yml
│ │ ├── install.yml
│ │ ├── main.yml
│ │ └── print_info.yml
│ ├── templates
│ │ └── install-config.yaml.j2
│ ├── tests
│ │ ├── inventory
│ │ └── test.yml
│ └── vars
│ │ └── main.yml
├── ocp4-post-acs
│ ├── defaults
│ │ └── main.yml
│ ├── tasks
│ │ ├── central.yml
│ │ ├── main.yml
│ │ └── sensor.yml
│ └── templates
│ │ ├── central.yml.j2
│ │ └── cluster.yml.j2
├── ocp4-post-argocd
│ ├── README.md
│ ├── defaults
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ ├── meta
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ ├── templates
│ │ ├── argo-install.yaml
│ │ ├── argo-ns.yaml
│ │ ├── argo-og.yaml
│ │ └── argo-sub.yaml
│ └── vars
│ │ └── main.yml
├── ocp4-post-cert-manager
│ ├── .travis.yml
│ ├── files
│ │ ├── cert-manager-dns.yml
│ │ ├── cert-patch-ingress-operator.yml
│ │ └── cert_aws_key_new.yml
│ ├── tasks
│ │ ├── aws_credentials.yml
│ │ ├── certificates.yml
│ │ ├── certmanager_issuer.yml
│ │ ├── certmanager_operator.yml
│ │ ├── main.yml
│ │ └── test.yml
│ └── templates
│ │ ├── certificate.yaml
│ │ ├── certificates.yml.j2
│ │ ├── issuer.yml.j2
│ │ └── ns.yml.j2
├── ocp4-post-cluster-autoscale
│ ├── .travis.yml
│ ├── README.md
│ ├── defaults
│ │ └── main.yml
│ └── tasks
│ │ └── main.yml
├── ocp4-post-infra-nodes
│ ├── README.md
│ ├── defaults
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ ├── meta
│ │ └── main.yml
│ ├── tasks
│ │ ├── async.yml
│ │ ├── elk-nodes.yml
│ │ ├── infra-nodes.yml
│ │ └── main.yml
│ ├── templates
│ │ ├── image-registry.j2
│ │ ├── ingress-controller.j2
│ │ ├── machine-config-daemonset.j2
│ │ ├── machineset.j2
│ │ └── node-ca-daemonset.j2
│ └── vars
│ │ └── main.yml
├── ocp4-post-logging
│ ├── .travis.yml
│ ├── README.md
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ ├── clo-og.yaml
│ │ ├── eo-og.yaml
│ │ └── eo-rbac.yaml
│ ├── handlers
│ │ └── main.yml
│ ├── meta
│ │ └── main.yml
│ ├── tasks
│ │ ├── configuration.yml
│ │ ├── installation.yml
│ │ └── main.yml
│ ├── templates
│ │ ├── clo-namespace.yaml
│ │ ├── clo-sub.yaml
│ │ ├── eo-namespace.yaml
│ │ ├── eo-sub.yaml
│ │ └── logging-crd.yaml
│ ├── tests
│ │ ├── inventory
│ │ └── test.yml
│ └── vars
│ │ └── main.yml
├── ocp4-post-machinesets
│ ├── README.md
│ ├── defaults
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ ├── meta
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ ├── templates
│ │ └── machineset.j2
│ ├── tests
│ │ ├── inventory
│ │ └── test.yml
│ └── vars
│ │ └── main.yml
├── ocp4-post-monitoring
│ ├── README.md
│ ├── defaults
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ ├── meta
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ ├── templates
│ │ └── cluster-monitoring-config.yml
│ ├── tests
│ │ ├── inventory
│ │ └── test.yml
│ └── vars
│ │ └── main.yml
├── ocp4-post-oauth
│ ├── README.md
│ ├── defaults
│ │ └── main.yml
│ ├── tasks
│ │ ├── main.yml
│ │ ├── oauth-azuread.yml
│ │ ├── oauth-google.yml
│ │ ├── oauth-htpasswd.yml
│ │ ├── oauth-ldap.yml
│ │ ├── remove-kubeadmin.yml
│ │ └── remove-self-provisioner.yml
│ └── templates
│ │ ├── cluster_role_binding.j2
│ │ ├── google-openid-client-secret.j2
│ │ ├── htpasswd.j2
│ │ ├── oauth-google.j2
│ │ ├── oauth-htpasswd.yml
│ │ └── oauth-ldap.j2
├── ocp4-post-ocs
│ ├── .travis.yml
│ ├── README.md
│ ├── defaults
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ ├── meta
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ ├── templates
│ │ ├── operatorgroup.yml.j2
│ │ ├── storagecluster.yml.j2
│ │ └── subscription.yml.j2
│ ├── tests
│ │ ├── inventory
│ │ └── test.yml
│ └── vars
│ │ └── main.yml
├── ocp4-post-project-template-request
│ ├── .travis.yml
│ ├── README.md
│ ├── defaults
│ │ └── main.yml
│ ├── files
│ │ └── openshift-ingress-namespaces.yaml
│ ├── tasks
│ │ └── main.yml
│ ├── templates
│ │ ├── project_request_config.j2
│ │ └── project_request_template.j2
│ └── vars
│ │ └── main.yml
├── ocp4-post-registry
│ ├── .travis.yml
│ ├── README.md
│ ├── tasks
│ │ └── main.yml
│ └── vars
│ │ └── main.yml
├── ocp4-post-rhsso
│ ├── .travis.yml
│ ├── README.md
│ ├── defaults
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ ├── meta
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ ├── tests
│ │ ├── inventory
│ │ └── test.yml
│ └── vars
│ │ └── main.yml
├── ocp4-post-routesharding
│ ├── README.md
│ ├── handlers
│ │ └── main.yml
│ ├── tasks
│ │ ├── main.yml
│ │ └── router.yml
│ └── vars
│ │ └── main.yml
├── ocp4-post-service-mesh
│ ├── .travis.yml
│ ├── README.md
│ ├── defaults
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ ├── meta
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ ├── templates
│ │ ├── elasticsearch-operator.yml
│ │ ├── istio-installation.yml
│ │ ├── istio-memberroll.yml
│ │ ├── jaegar-operator.yml
│ │ ├── kiali-operator.yml
│ │ ├── servicemesh-namespace.yml
│ │ └── servicemesh-operator.yml
│ ├── tests
│ │ ├── inventory
│ │ └── test.yml
│ └── vars
│ │ └── main.yml
├── ocp4-post-tekton
│ ├── .travis.yml
│ ├── README.md
│ ├── defaults
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ ├── meta
│ │ └── main.yml
│ ├── tasks
│ │ └── main.yml
│ ├── templates
│ │ ├── catalogsource.j2
│ │ ├── installplan.j2
│ │ └── subscription.j2
│ ├── tests
│ │ ├── inventory
│ │ └── test.yml
│ └── vars
│ │ └── main.yml
├── ocp4-post-worker-nodes
│ ├── README.md
│ ├── defaults
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ ├── meta
│ │ └── main.yml
│ ├── tasks
│ │ ├── config.yml
│ │ ├── fetch_info.yml
│ │ └── main.yml
│ └── vars
│ │ └── main.yml
├── ocp4-uninstall
│ ├── .travis.yml
│ ├── README.md
│ ├── defaults
│ │ └── main.yml
│ ├── handlers
│ │ └── main.yml
│ ├── meta
│ │ └── main.yml
│ ├── tasks
│ │ ├── main.yml
│ │ └── uninstall.yml
│ ├── tests
│ │ ├── inventory
│ │ └── test.yml
│ └── vars
│ │ └── main.yml
└── ocp4-upgrade
│ ├── .travis.yml
│ ├── README.md
│ ├── defaults
│ └── main.yml
│ ├── handlers
│ └── main.yml
│ ├── meta
│ └── main.yml
│ ├── tasks
│ └── main.yml
│ ├── tests
│ ├── inventory
│ └── test.yml
│ └── vars
│ └── main.yml
├── undeploy.yml
├── vars
├── .gitkeep
├── vars-backup.yml
└── vars.yml
└── vault
├── .gitkeep
└── vault.yml
/.gitignore:
--------------------------------------------------------------------------------
1 | #vault/vault.yml
2 | .vault-password-file
3 | #vars/vars.yml
4 | vars/aws-creds.yml
5 | vars/vars-backup.yml
6 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Openshift4 Auto Install
2 |
3 | > **Note**: This is a WIP repository. Expect some changes, and modifications in the future.
4 |
5 | This repository provides a way for deploying openshift4 IPI in AWS (and Azure in WIP)
6 | and perform the Post Install and Day2Operations 100% automatically
7 |
8 | Openshift installer is used along with Ansible for creation and customization of the Openshift Cluster.
9 |
10 | 
11 |
12 | Each day2 operations in this repo can be executed isolated (e.g. only execute day2ops logging for
13 | configure logging stack)
14 |
15 | ## Features
16 |
17 | The main features are:
18 |
19 | * Easy deployment of OCP4 cluster IPI in AWS or Azure
20 | * No Bastion needed and no local software additional installation (only Ansible is needed)
21 | * Configuration of the PostInstall and Day2Operations
22 | * Ansible Tower friendly!
23 | * Modularized & Capable of executing specific day2ops (only execute logging)
24 | * Idempotent and easy to debug
25 | * Versatile and modular with parameters
26 |
27 | ## Installation & Prerequisites
28 |
29 | ### Requirements
30 |
31 | * Ansible
32 | * Ansible Tower (optional)
33 | * Some pip modules (boto3, kubernetes, openshift and pylint)
34 |
35 | ### Create/Customize the Variables yaml
36 |
37 | * Copy or generate the vars.yml and customize to fill your needs:
38 |
39 | ```
40 | cp -pr examples/vars.yml vars/vars.yml
41 | ```
42 |
43 | * Generate a Vault-File with the credentials of AWS/Azure and OCP4 PullSecret:
44 |
45 | ```
46 | $ ansible-vault edit vault/vault.yml
47 | ```
48 |
49 | and fill inside the vault.yml with:
50 |
51 | ```
52 | aws_access_key_id: SECRET
53 | aws_secret_access_key: SECRET
54 | ocp4_pull_secret: '<<< pull_secret_azure >>>'
55 | ```
56 |
57 | for obtain the pull_secret go to [OCP4 Install](https://cloud.redhat.com/openshift/install)
58 |
59 | * Generate the .vault-password-file and put the password
60 |
61 | ```
62 | touch .vault-password-file
63 | echo "yourpasswordfancy" >> .vault-password-file
64 | ```
65 |
66 | * Opt: If you want to generate Let's Encrypt Certificates install the collection requirements
67 |
68 | ```
69 | ansible-galaxy collection install -r collections/requirements.yml
70 | ```
71 |
72 | ## Usage
73 |
74 | ### Automated deployment end2end of Openshift4 cluster (end2end)
75 |
76 | Execute and wait a little bit:
77 |
78 | ```
79 | ./auto_deploy.sh
80 | ```
81 |
82 | ## Custom Deployment
83 |
84 | The container for the installation could be used for Post Install or Day2Operations without deploy the whole cluster
85 |
86 | * For Deploy only day2ops:
87 |
88 | ```
89 | ansible-playbook -i ,localhost deploy_day2ops.yml --ask-vault-pass
90 | ```
91 |
92 | * For install only and no day2ops:
93 |
94 | ```
95 | ansible-playbook -i ,localhost deploy_only.yml --ask-vault-pass
96 | ```
97 |
98 | * For install only an specific day2ops:
99 |
100 | ```
101 | ansible-playbook -i ,localhost deploy_only_.yml
102 | ```
103 |
104 | ## Customizations (WIP)
105 |
106 | #### Kubeconfig
107 |
108 | The installer will look at specific kubeconfig at {{ user_path }}/auth/kubeconfig but you can use
109 | your own kubeconfig in order to deploy this day2ops whenever its using it:
110 |
111 | ```
112 | kubeconfig: ~/.kube/ocp4-opentlc
113 | ```
114 |
115 | #### Openshift Cluster Variables
116 |
117 | ```
118 | ocp4_version: '4.4.3'
119 | cloud_provider: 'ec2' or 'azure'
120 | cluster_name: 'myfancycluster'
121 | ocp4_base_domain: 'yourbasedomain'
122 | aws_region: eu-central-1
123 | master_instance_type: m5.xlarge
124 | master_instance_count: 3
125 | worker_instance_type: m5.xlarge
126 | worker_instance_count: 3
127 | ```
128 |
129 | #### Day2Operations Variables
130 |
131 | * Deploy only the post-install without deploy the cluster
132 |
133 | ```
134 | only_post_install: True
135 | ```
136 |
137 | * Configure the OAuth between htpasswd, ldap, Google OAuth and Azure(wip):
138 |
139 | ```
140 | # OAuth
141 | oauth: htpasswd
142 | removekubeadmin: False
143 | removeselfprovisioning: False
144 | ```
145 |
146 | Azure: azure
147 | Google OAuth: google
148 | LDAP/IDM: ldap
149 | Htpasswd: htpasswd
150 |
151 | * Deploy worker nodes
152 |
153 | ```
154 | # Worker Nodes
155 | worker_nodes: True
156 | ```
157 |
158 | * Deploy infra nodes
159 |
160 | ```
161 | # Infra Nodes
162 | infra_nodes: True
163 | disk_size: 1024
164 | instance_type: r5.xlarge
165 | ```
166 |
167 | * Deploy OCS4 (WIP)
168 |
169 | ```
170 | # OCS4
171 | ocs: True
172 | ```
173 |
174 | * Deploy Logging EFK
175 |
176 | ```
177 | # Logging
178 | logging: True
179 | ```
180 |
181 | * Deploy Monitoring
182 |
183 | ```
184 | # Monitoring
185 | monitoring: True
186 | ```
187 |
188 | ## Tower Integrations
189 |
190 | The installation and the day2ops are prepared to be integrated into Tower, and executed in workflows
191 | and Job Templates.
192 |
193 | An example of execution could be the following:
194 |
195 | * Workflow
196 | 
197 |
198 | * Survey
199 | 
200 |
201 | * Webhook Execution
202 | 
203 |
204 | * Status in GH and Tower
205 | 
206 |
207 | ## TODO:
208 |
209 | * Finish the Tower integrations and fully automations
210 | * Add molecule to testing this modules
211 | * Add Github actions
212 | * Add more day2ops
213 | * Customize the SSH-Key to add
214 | * Add latest version to the installation
215 | * Add more documentation to each day2ops
216 | * Time Control between infra nodes and the migrate of logging, monitoring, registry
217 | * Move vault from the first creds and move it after
218 |
--------------------------------------------------------------------------------
/auto_deploy.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | echo "Welcome to OCP4 Auto install"
4 | echo "Executing Ansible Playbooks..."
5 |
6 | ansible-playbook -i localhost --vault-password-file .vault-password-file deploy_all.yml
7 |
--------------------------------------------------------------------------------
/collections/requirements.yml:
--------------------------------------------------------------------------------
1 | collections:
2 | - name: community.kubernetes
3 | version: 1.0.0
4 | source: https://galaxy.ansible.com
5 |
--------------------------------------------------------------------------------
/deploy_all.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: '[OCP4-AUTO-INSTALL] Deploy an Openshift4 cluster'
3 | hosts: localhost
4 | connection: local
5 | vars_files:
6 | - vars/vars.yml
7 | - vault/vault.yml
8 | tasks:
9 | - name: '[OCP4-AUTO-INSTALL][PREREQS] Prerequisites for the installation'
10 | include_role:
11 | name: "{{ item }}"
12 | loop:
13 | - common
14 | - awscli
15 | when:
16 | - only_post_install != True
17 |
18 | - name: '[OCP4-AUTO-INSTALL][INSTALL] Installation of the OCP4 Cluster'
19 | include_role:
20 | name: "ocp4-install"
21 | when:
22 | - only_post_install != True
23 |
24 | - name: '[OCP4-AUTO-INSTALL][POST-INSTALL][CERT-MANAGER] Configure Cert-Manager'
25 | include_role:
26 | name: "ocp4-post-cert-manager"
27 | when:
28 | - cmanager is defined
29 | - cmanager | bool
30 |
31 | - name: '[OCP4-AUTO-INSTALL][POST-INSTALL][WORKER-NODES] Configure Worker Nodes'
32 | include_role:
33 | name: "ocp4-post-worker-nodes"
34 | when:
35 | - worker_nodes is defined
36 | - worker_nodes | bool
37 |
38 | - name: '[OCP4-AUTO-INSTALL][POST-INSTALL][INFRA-NODES] Deploy and configure Infra Nodes'
39 | include_role:
40 | name: "ocp4-post-infra-nodes"
41 | when:
42 | - infra_nodes is defined
43 | - infra_nodes | bool
44 |
45 | - name: '[OCP4-AUTO-INSTALL][POST-INSTALL][OAUTH] Configure OAuth'
46 | include_role:
47 | name: "ocp4-post-oauth"
48 | when:
49 | - oauth is defined
50 | - oauth != False
51 |
52 | - name: '[OCP4-AUTO-INSTALL][POST-INSTALL][LOGGING] Install and configure Logging'
53 | include_role:
54 | name: "ocp4-post-logging"
55 | when:
56 | - logging is defined
57 | - logging | bool
58 |
59 | - name: '[OCP4-AUTO-INSTALL][POST-INSTALL][MONITORING] Configure Monitoring'
60 | include_role:
61 | name: "ocp4-post-monitoring"
62 | when:
63 | - monitoring is defined
64 | - monitoring | bool
65 |
66 | - name: '[OCP4-AUTO-INSTALL][POST-INSTALL][REGISTRY] Install and configure Registry'
67 | include_role:
68 | name: "ocp4-post-registry"
69 | when:
70 | - registry is defined
71 | - registry | bool
72 |
73 | - name: '[OCP4-AUTO-INSTALL][POST-INSTALL][SERVICE-MESH] Install and configure Service Mesh'
74 | include_role:
75 | name: "ocp4-post-service-mesh"
76 | when:
77 | - service_mesh is defined
78 | - service_mesh | bool
79 |
80 | - name: '[OCP4-AUTO-INSTALL][POST-INSTALL] Install and configure Argocd'
81 | include_role:
82 | name: "ocp4-post-argocd"
83 | when:
84 | - argocd is defined
85 | - argocd | bool
86 |
--------------------------------------------------------------------------------
/deploy_day2ops.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: '[OCP4-AUTO-INSTALL] Deploy an Openshift4 cluster'
3 | hosts: localhost
4 | connection: local
5 | vars_files:
6 | - vars/vars.yml
7 | - vault/vault.yml
8 | tasks:
9 |
10 | - name: '[OCP4-AUTO-INSTALL][POST-INSTALL][WORKER-NODES] Configure Worker Nodes'
11 | include_role:
12 | name: "ocp4-post-worker-nodes"
13 | when:
14 | - worker_nodes is defined
15 | - worker_nodes | bool
16 |
17 | - name: '[OCP4-AUTO-INSTALL][POST-INSTALL][INFRA-NODES] Deploy and configure Infra Nodes'
18 | include_role:
19 | name: "ocp4-post-infra-nodes"
20 | when:
21 | - infra_nodes is defined
22 | - infra_nodes | bool
23 |
24 | - name: '[OCP4-AUTO-INSTALL][POST-INSTALL][OAUTH] Configure OAuth'
25 | include_role:
26 | name: "ocp4-post-oauth"
27 | when:
28 | - oauth is defined
29 | - oauth != False
30 |
31 | - name: '[OCP4-AUTO-INSTALL][POST-INSTALL][LOGGING] Install and configure Logging'
32 | include_role:
33 | name: "ocp4-post-logging"
34 | when:
35 | - logging is defined
36 | - logging | bool
37 |
38 | - name: '[OCP4-AUTO-INSTALL][POST-INSTALL][MONITORING] Configure Monitoring'
39 | include_role:
40 | name: "ocp4-post-monitoring"
41 | when:
42 | - monitoring is defined
43 | - monitoring | bool
44 |
45 | - name: '[OCP4-AUTO-INSTALL][POST-INSTALL][REGISTRY] Install and configure Registry'
46 | include_role:
47 | name: "ocp4-post-registry"
48 | when:
49 | - registry is defined
50 | - registry | bool
51 |
52 | - name: '[OCP4-AUTO-INSTALL][POST-INSTALL][SERVICE-MESH] Install and configure Service Mesh'
53 | include_role:
54 | name: "ocp4-post-service-mesh"
55 | when:
56 | - service_mesh is defined
57 | - service_mesh | bool
58 |
59 | - name: '[OCP4-AUTO-INSTALL][POST-INSTALL] Install and configure Argocd'
60 | include_role:
61 | name: "ocp4-post-argocd"
62 | when:
63 | - argocd is defined
64 | - argocd | bool
65 |
--------------------------------------------------------------------------------
/deploy_only.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: '[OCP4-AUTO-INSTALL] Deploy an Openshift4 cluster'
3 | hosts: localhost
4 | connection: local
5 | vars_files:
6 | - vars/vars.yml
7 | - vault/vault.yml
8 | tasks:
9 | - name: '[OCP4-AUTO-INSTALL][PREREQS] Prerequisites for the installation'
10 | include_role:
11 | name: "{{ item }}"
12 | loop:
13 | - common
14 | - awscli
15 | when:
16 | - only_post_install != True
17 | - prereqs == True
18 |
19 | - name: '[OCP4-AUTO-INSTALL][INSTALL] Installation of the OCP4 Cluster'
20 | include_role:
21 | name: "ocp4-install"
22 | when:
23 | - only_post_install != True
24 |
--------------------------------------------------------------------------------
/deploy_only_acs.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: '[OCP4-AUTO-INSTALL] Install the StackRox Central'
3 | hosts: localhost
4 | connection: local
5 | vars_files:
6 | - vars/vars.yml
7 | - vault/vault.yml
8 | tasks:
9 | - name: '[OCP4-AUTO-INSTALL][POST-INSTALL][ACS] Install the StackRox Central'
10 | include_role:
11 | name: "ocp4-post-acs"
12 | when:
13 | - acs is defined
14 | - acs | bool
15 |
16 | - name: '[OCP4-AUTO-INSTALL] Install StackRox Sensor Demo'
17 | hosts: localhost
18 | connection: local
19 | vars_files:
20 | - vars/vars.yml
21 | - vault/vault.yml
22 | tasks:
23 | - name: '[OCP4-AUTO-INSTALL][POST-INSTALL][ACS] Install StackRox Sensor Demo'
24 | include_role:
25 | name: "ocp4-post-acs-demo"
26 | when:
27 | - acs_demo is defined
28 | - acs_demo | bool
29 |
--------------------------------------------------------------------------------
/deploy_only_argocd.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: '[OCP4-AUTO-INSTALL] Configure an Openshift4 cluster'
3 | hosts: localhost
4 | connection: local
5 | vars_files:
6 | - vars/vars.yml
7 | tasks:
8 | # TODO: Use operator instead
9 | - name: '[OCP4-AUTO-INSTALL][POST-INSTALL][ARGOCD] Configure ArgoCD '
10 | include_role:
11 | name: "ocp4-post-argocd"
12 | when:
13 | - argocd is defined
14 | - argocd | bool
15 |
16 |
--------------------------------------------------------------------------------
/deploy_only_cmanager.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: '[OCP4-AUTO-INSTALL] Configure an Openshift4 cluster'
3 | hosts: localhost
4 | connection: local
5 | vars_files:
6 | - vars/vars.yml
7 | tasks:
8 | - name: '[OCP4-AUTO-INSTALL][POST-INSTALL][CERT-MANAGER] Configure Cert Manager'
9 | include_role:
10 | name: "ocp4-post-cert-manager"
11 | when:
12 | - cmanager is defined
13 | - cmanager | bool
14 |
--------------------------------------------------------------------------------
/deploy_only_infra.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: '[OCP4-AUTO-INSTALL] Configure an Openshift4 cluster'
3 | hosts: localhost
4 | connection: local
5 | vars_files:
6 | - vars/vars.yml
7 | tasks:
8 | - name: '[OCP4-AUTO-INSTALL][POST-INSTALL][INFRA-NODES] Deploy and configure Infra Nodes'
9 | include_role:
10 | name: "ocp4-post-infra-nodes"
11 | when:
12 | - infra_nodes is defined
13 | - infra_nodes | bool
14 |
--------------------------------------------------------------------------------
/deploy_only_logging.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: '[OCP4-AUTO-INSTALL] Configure an Openshift4 cluster'
3 | hosts: localhost
4 | connection: local
5 | vars_files:
6 | - vars/vars.yml
7 | tasks:
8 | - name: '[OCP4-AUTO-INSTALL][POST-INSTALL][LOGGING] Install and configure Logging'
9 | include_role:
10 | name: "ocp4-post-logging"
11 | when:
12 | - logging is defined
13 | - logging | bool
14 |
--------------------------------------------------------------------------------
/deploy_only_monitoring.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: '[OCP4-AUTO-INSTALL] Configure an Openshift4 cluster'
3 | hosts: localhost
4 | connection: local
5 | vars_files:
6 | - vars/vars.yml
7 | tasks:
8 | - name: '[OCP4-AUTO-INSTALL][POST-INSTALL] Configure Monitoring'
9 | include_role:
10 | name: "ocp4-post-monitoring"
11 | when:
12 | - monitoring is defined
13 | - monitoring | bool
14 |
--------------------------------------------------------------------------------
/deploy_only_oauth.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: '[OCP4-AUTO-INSTALL] Configure an Openshift4 cluster'
3 | hosts: localhost
4 | connection: local
5 | vars_files:
6 | - vars/vars.yml
7 | - vault/vault.yml
8 | tasks:
9 | - name: '[OCP4-AUTO-INSTALL][POST-INSTALL][OAUTH] Configure OAuth'
10 | include_role:
11 | name: "ocp4-post-oauth"
12 | when:
13 | - oauth is defined
14 | - oauth != False
15 |
--------------------------------------------------------------------------------
/deploy_only_project_request_template.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: '[OCP4-AUTO-INSTALL] Configure an Openshift4 cluster'
3 | hosts: localhost
4 | connection: local
5 | vars_files:
6 | - vars/vars.yml
7 | tasks:
8 | - name: '[OCP4-AUTO-INSTALL][POST-INSTALL][PROJECT-REQUEST-TEMPLATE] Install and configure the project request template with quotas, limits and netpols'
9 | include_role:
10 | name: "ocp4-post-project-template-request"
11 | when:
12 | - project_request_template is defined
13 | - project_request_template | bool
14 |
--------------------------------------------------------------------------------
/deploy_only_registry.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: '[OCP4-AUTO-INSTALL] Configure an Openshift4 cluster'
3 | hosts: localhost
4 | connection: local
5 | vars_files:
6 | - vars/vars.yml
7 | tasks:
8 | - name: '[OCP4-AUTO-INSTALL][POST-INSTALL][REGISTRY] Install and configure Registry'
9 | include_role:
10 | name: "ocp4-post-registry"
11 | when:
12 | - registry is defined
13 | - registry | bool
14 |
--------------------------------------------------------------------------------
/deploy_only_workers.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: '[OCP4-AUTO-INSTALL] Configure an Openshift4 cluster'
3 | hosts: localhost
4 | connection: local
5 | vars_files:
6 | - vars/vars.yml
7 | tasks:
8 | - name: '[OCP4-AUTO-INSTALL][POST-INSTALL][WORKER-NODES] Configure Worker Nodes'
9 | include_role:
10 | name: "ocp4-post-worker-nodes"
11 | when:
12 | - worker_nodes is defined
13 | - worker_nodes | bool
14 |
--------------------------------------------------------------------------------
/examples/vars.yml:
--------------------------------------------------------------------------------
1 | ---
2 | ## Cluster Vars
3 | ocp4_version: '4.4.5'
4 | cloud_provider: 'ec2'
5 | cluster_name: 'rcarrata-ocp'
6 | ocp4_base_domain: '28fb.sandbox81.opentlc.com'
7 | aws_region: eu-central-1
8 | master_instance_type: m5.xlarge
9 | master_instance_count: 3
10 | worker_instance_type: m5.xlarge
11 | worker_instance_count: 3
12 | kubeconfig: '~/.kube/ocp4-opentlc'
13 | #kubeconfig: "{{ user_path }}/auth/kubeconfig"
14 |
15 | #### Install Vars
16 | awscli-download: False
17 |
18 | #### Post Install Vars
19 | only_post_install: True
20 |
21 | # Worker Nodes
22 | worker_nodes: True
23 |
24 | # Infra Nodes
25 | infra_nodes: True
26 | infra_disk_size: 1024
27 | infra_instance_type: r5.xlarge
28 |
29 | # ELK infra nodes
30 | elk_nodes: False
31 |
32 | # OAuth
33 | #oauth: htpasswd
34 | oauth: False
35 | ocp4_htpasswd_admin_user: admin
36 | ocp4_htpasswd_dev_user: developer
37 |
38 | ocp4_remove_kubeadmin: False
39 | removeselfprovisioning: True
40 |
41 | # Logging
42 | logging: False
43 |
44 | # Monitoring
45 | monitoring: False
46 | prom_retention: 1w
47 | prometheus_gp2_storage: 40Gi
48 | alertmanager_gp2_storage: 40Gi
49 |
50 | # ServiceMesh
51 | service_mesh: False
52 |
53 | # ArgoCD
54 | argocd: True
55 | argoclient: True
56 | argocd_version: v1.6.0
57 |
--------------------------------------------------------------------------------
/examples/vars_all.yml:
--------------------------------------------------------------------------------
1 | ---
2 | #### Cluster Vars
3 | ocp4_version: '4.4.5'
4 | cloud_provider: 'ec2'
5 | cluster_name: 'rcarrata-ocp'
6 | ocp4_base_domain: 'b8a1.sandbox1648.opentlc.com'
7 | aws_region: eu-central-1
8 | master_instance_type: m5.xlarge
9 | master_instance_count: 3
10 | worker_instance_type: m5.xlarge
11 | worker_instance_count: 3
12 | kubeconfig: '~/.kube/ocp4-opentlc2'
13 | machineCIDR: "10.0.0.0/16"
14 | #kubeconfig: "{{ user_path }}/auth/kubeconfig"
15 |
16 | #### Only in Tower-mode
17 | tower_used: True
18 | local_kubeconfig: '~/.kube/{{ cluster_name }}'
19 | ocp_cluster: ocpdr
20 |
21 | #### Install Vars
22 | awscli-download: False
23 | prereqs: False
24 | uninstall_ocp: False # VERY CAREFUL WITH THIS VAR :)
25 |
26 | #### Post Install Vars
27 | only_post_install: False
28 |
29 | # Worker Nodes
30 | worker_nodes: False
31 |
32 | # Infra Nodes
33 | infra_nodes: False
34 | infra_disk_size: 1024
35 | infra_instance_type: r5.xlarge
36 |
37 | # ELK infra nodes
38 | elk_nodes: False
39 |
40 | # OAuth
41 | #oauth: htpasswd
42 | oauth: False
43 | ocp4_htpasswd_admin_user: admin
44 | ocp4_htpasswd_dev_user: developer
45 |
46 | ocp4_remove_kubeadmin: False
47 | removeselfprovisioning: True
48 |
49 | # Logging
50 | logging: True
51 | clo_node_selector: "node-role.kubernetes.io/infra="
52 | es_channel: 4.3 #Define the ES version of the operator
53 | clo_channel: 4.3 #Define the ClusterLogging version of the operator
54 |
55 | # Monitoring
56 | monitoring: False
57 | prom_retention: 1w
58 | prometheus_gp2_storage: 40Gi
59 | alertmanager_gp2_storage: 40Gi
60 |
61 | # Registry
62 | registry: False
63 |
64 | # ProjectRequestTemplate
65 | project_request_template: True
66 | project_request_message: "To provision namespace ask to Openshift 4 Administrators"
67 | install_limit_range: True
68 | install_network_policies: True
69 | install_resource_quota: True
70 | project_request_template_project_limits:
71 | - type: Container
72 | max:
73 | cpu: 2
74 | memory: 2Gi
75 | default:
76 | cpu: 500m
77 | memory: 500Mi
78 | defaultRequest:
79 | cpu: 50m
80 | memory: 256Mi
81 | - type: Pod
82 | max:
83 | cpu: 2
84 | memory: 4Gi
85 |
86 | project_request_template_resource_quota:
87 | pods: 10
88 | requests.cpu: 4000m
89 | requests.memory: 8Gi
90 | resourcequotas: 1
91 | requests.storage: 50Gi
92 | persistentvolumeclaims: 5
93 |
94 | ### Extra DevOps Or RH Tools
95 |
96 | # ArgoCD
97 | argocd: False
98 | argoclient: False
99 | argocd_version: v1.6.0
100 |
101 | # ServiceMesh
102 | service_mesh: False
103 |
--------------------------------------------------------------------------------
/examples/vars_argocd.yml:
--------------------------------------------------------------------------------
1 | # ArgoCD
2 | argocd: True
3 | argoclient: False
4 | argocd_version: v1.5.7
5 |
--------------------------------------------------------------------------------
/examples/vars_day2ops.yml:
--------------------------------------------------------------------------------
1 | # OAuth
2 | oauth: htpasswd
3 | removekubeadmin: False
4 | removeselfprovisioning: False
5 |
6 | # Worker Nodes
7 | worker_nodes: True
8 |
9 | # Infra Nodes
10 | infra_nodes: True
11 | disk_size: 1024
12 | instance_type: r5.xlarge
13 |
14 | # Logging
15 | logging: False
16 |
17 | # Monitoring
18 | monitoring: False
19 |
20 | # ArgoCD
21 | argocd_version: v1.5.7
22 |
--------------------------------------------------------------------------------
/examples/vault.yml:
--------------------------------------------------------------------------------
1 | aws_access_key_id:
2 | aws_secret_access_key:
3 | ocp4_pull_secret:
4 | ocp4_htpasswd_admin_password:
5 | ocp4_htpasswd_dev_password:
6 |
--------------------------------------------------------------------------------
/group_vars/all:
--------------------------------------------------------------------------------
1 | # User Path
2 | install_path: "/tmp"
3 | user_path: "{{ install_path }}/{{ cluster_name }}"
4 | tower_path: "/var/lib/awx/.kube"
5 |
6 | # Define this into the vars/vars.yml
7 | # kubeconfig: "{{ user_path }}/auth/kubeconfig"
8 |
9 | # MachineSets
10 | kube_label: "node-role.kubernetes.io"
11 | infra_label: "infra"
12 |
--------------------------------------------------------------------------------
/images/Dockerfile:
--------------------------------------------------------------------------------
1 | FROM fedora:32
2 | RUN dnf update -y \
3 | && dnf install -y httpd-tools \
4 | && dnf clean all \
5 | && rm -rf /var/cache/yum \
6 | && useradd ansible -m
7 | COPY ansible_sudoers.conf /etc/sudoers.d/ansible
8 | WORKDIR /home/ansible
9 | USER ansible
10 | CMD sleep 7200
11 |
--------------------------------------------------------------------------------
/pics/tower1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rcarrata/ocp4-auto-install/a69adc48365daef02616fc09cbc63ae4453774c7/pics/tower1.png
--------------------------------------------------------------------------------
/pics/tower2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rcarrata/ocp4-auto-install/a69adc48365daef02616fc09cbc63ae4453774c7/pics/tower2.png
--------------------------------------------------------------------------------
/pics/tower3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rcarrata/ocp4-auto-install/a69adc48365daef02616fc09cbc63ae4453774c7/pics/tower3.png
--------------------------------------------------------------------------------
/pics/tower4.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rcarrata/ocp4-auto-install/a69adc48365daef02616fc09cbc63ae4453774c7/pics/tower4.jpg
--------------------------------------------------------------------------------
/pics/wf1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rcarrata/ocp4-auto-install/a69adc48365daef02616fc09cbc63ae4453774c7/pics/wf1.png
--------------------------------------------------------------------------------
/requirements.txt:
--------------------------------------------------------------------------------
1 | openshift
2 | psutil
3 | boto3
4 | botocore
5 |
--------------------------------------------------------------------------------
/roles/README.md:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rcarrata/ocp4-auto-install/a69adc48365daef02616fc09cbc63ae4453774c7/roles/README.md
--------------------------------------------------------------------------------
/roles/awscli/README.md:
--------------------------------------------------------------------------------
1 | Role Name
2 | =========
3 |
4 | A brief description of the role goes here.
5 |
6 | Requirements
7 | ------------
8 |
9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
10 |
11 | Role Variables
12 | --------------
13 |
14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
15 |
16 | Dependencies
17 | ------------
18 |
19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
20 |
21 | Example Playbook
22 | ----------------
23 |
24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
25 |
26 | - hosts: servers
27 | roles:
28 | - { role: username.rolename, x: 42 }
29 |
30 | License
31 | -------
32 |
33 | BSD
34 |
35 | Author Information
36 | ------------------
37 |
38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed).
39 |
--------------------------------------------------------------------------------
/roles/awscli/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # defaults file for awscli
--------------------------------------------------------------------------------
/roles/awscli/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # handlers file for awscli
--------------------------------------------------------------------------------
/roles/awscli/meta/main.yml:
--------------------------------------------------------------------------------
1 | galaxy_info:
2 | author: your name
3 | description: your description
4 | company: your company (optional)
5 |
6 | # If the issue tracker for your role is not on github, uncomment the
7 | # next line and provide a value
8 | # issue_tracker_url: http://example.com/issue/tracker
9 |
10 | # Choose a valid license ID from https://spdx.org - some suggested licenses:
11 | # - BSD-3-Clause (default)
12 | # - MIT
13 | # - GPL-2.0-or-later
14 | # - GPL-3.0-only
15 | # - Apache-2.0
16 | # - CC-BY-4.0
17 | license: license (GPL-2.0-or-later, MIT, etc)
18 |
19 | min_ansible_version: 2.4
20 |
21 | # If this a Container Enabled role, provide the minimum Ansible Container version.
22 | # min_ansible_container_version:
23 |
24 | #
25 | # Provide a list of supported platforms, and for each platform a list of versions.
26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'.
27 | # To view available platforms and versions (or releases), visit:
28 | # https://galaxy.ansible.com/api/v1/platforms/
29 | #
30 | # platforms:
31 | # - name: Fedora
32 | # versions:
33 | # - all
34 | # - 25
35 | # - name: SomePlatform
36 | # versions:
37 | # - all
38 | # - 1.0
39 | # - 7
40 | # - 99.99
41 |
42 | galaxy_tags: []
43 | # List tags for your role here, one per line. A tag is a keyword that describes
44 | # and categorizes the role. Users find roles by searching for tags. Be sure to
45 | # remove the '[]' above, if you add tags to this list.
46 | #
47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
48 | # Maximum 20 tags per role.
49 |
50 | dependencies: []
51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above,
52 | # if you add dependencies to this list.
53 |
--------------------------------------------------------------------------------
/roles/awscli/tasks/download.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: '[PREREQS][AWSCLI] Download the required tooling'
4 | get_url:
5 | url: "{{ aws_installer }}"
6 | dest: "{{ user_path }}/awscli-exe-linux-x86_64.zip"
7 | register: awsclifile
8 |
9 | - name: '[PREREQS][AWSCLI] Create a user-writable directory for tools'
10 | file:
11 | name: "{{ user_path }}/tools"
12 | state: directory
13 |
14 | - name: '[PREREQS][AWSCLI] Unarchive the aws tools'
15 | unarchive:
16 | src: "{{ user_path }}/awscli-exe-linux-x86_64.zip"
17 | dest: "{{ user_path }}/tools"
18 | when: awsclifile.changed
19 |
--------------------------------------------------------------------------------
/roles/awscli/tasks/install.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: '[PREREQS][AWSCLI] Create a user-writable directory for tools'
4 | file:
5 | name: "~/.aws"
6 | state: directory
7 |
8 | - name: '[PREREQS][AWSCLI] Define aws credentials for the installation'
9 | template:
10 | src: templates/credentials.j2
11 | dest: "~/.aws/credentials"
12 |
--------------------------------------------------------------------------------
/roles/awscli/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - import_tasks: download.yml
4 | - import_tasks: install.yml
5 |
--------------------------------------------------------------------------------
/roles/awscli/templates/credentials.j2:
--------------------------------------------------------------------------------
1 | [default]
2 | aws_access_key_id = {{ aws_access_key_id }}
3 | aws_secret_access_key = {{ aws_secret_access_key }}
4 |
--------------------------------------------------------------------------------
/roles/awscli/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # vars file for awscli
3 | aws_installer: "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"
4 |
--------------------------------------------------------------------------------
/roles/common/.travis.yml:
--------------------------------------------------------------------------------
1 | ---
2 | language: python
3 | python: "2.7"
4 |
5 | # Use the new container infrastructure
6 | sudo: false
7 |
8 | # Install ansible
9 | addons:
10 | apt:
11 | packages:
12 | - python-pip
13 |
14 | install:
15 | # Install ansible
16 | - pip install ansible
17 |
18 | # Check ansible version
19 | - ansible --version
20 |
21 | # Create ansible.cfg with correct roles_path
22 | - printf '[defaults]\nroles_path=../' >ansible.cfg
23 |
24 | script:
25 | # Basic role syntax check
26 | - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
27 |
28 | notifications:
29 | webhooks: https://galaxy.ansible.com/api/v1/notifications/
--------------------------------------------------------------------------------
/roles/common/README.md:
--------------------------------------------------------------------------------
1 | Role Name
2 | =========
3 |
4 | A brief description of the role goes here.
5 |
6 | Requirements
7 | ------------
8 |
9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
10 |
11 | Role Variables
12 | --------------
13 |
14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
15 |
16 | Dependencies
17 | ------------
18 |
19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
20 |
21 | Example Playbook
22 | ----------------
23 |
24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
25 |
26 | - hosts: servers
27 | roles:
28 | - { role: username.rolename, x: 42 }
29 |
30 | License
31 | -------
32 |
33 | BSD
34 |
35 | Author Information
36 | ------------------
37 |
38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed).
39 |
--------------------------------------------------------------------------------
/roles/common/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # defaults file for common
--------------------------------------------------------------------------------
/roles/common/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # handlers file for common
--------------------------------------------------------------------------------
/roles/common/meta/main.yml:
--------------------------------------------------------------------------------
1 | galaxy_info:
2 | author: your name
3 | description: your role description
4 | company: your company (optional)
5 |
6 | # If the issue tracker for your role is not on github, uncomment the
7 | # next line and provide a value
8 | # issue_tracker_url: http://example.com/issue/tracker
9 |
10 | # Choose a valid license ID from https://spdx.org - some suggested licenses:
11 | # - BSD-3-Clause (default)
12 | # - MIT
13 | # - GPL-2.0-or-later
14 | # - GPL-3.0-only
15 | # - Apache-2.0
16 | # - CC-BY-4.0
17 | license: license (GPL-2.0-or-later, MIT, etc)
18 |
19 | min_ansible_version: 2.9
20 |
21 | # If this a Container Enabled role, provide the minimum Ansible Container version.
22 | # min_ansible_container_version:
23 |
24 | #
25 | # Provide a list of supported platforms, and for each platform a list of versions.
26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'.
27 | # To view available platforms and versions (or releases), visit:
28 | # https://galaxy.ansible.com/api/v1/platforms/
29 | #
30 | # platforms:
31 | # - name: Fedora
32 | # versions:
33 | # - all
34 | # - 25
35 | # - name: SomePlatform
36 | # versions:
37 | # - all
38 | # - 1.0
39 | # - 7
40 | # - 99.99
41 |
42 | galaxy_tags: []
43 | # List tags for your role here, one per line. A tag is a keyword that describes
44 | # and categorizes the role. Users find roles by searching for tags. Be sure to
45 | # remove the '[]' above, if you add tags to this list.
46 | #
47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
48 | # Maximum 20 tags per role.
49 |
50 | dependencies: []
51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above,
52 | # if you add dependencies to this list.
53 |
--------------------------------------------------------------------------------
/roles/common/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: '[COMMON] Create a directory for the installation'
4 | file:
5 | name: "{{ user_path }}"
6 | state: directory
7 |
8 | - name: '[INSTALL_CONFIG] Create bin directory'
9 | file:
10 | path: "{{ user_path }}/.ssh"
11 | state: directory
12 |
13 | - name: '[INSTALL_CONFIG] [PREREQS] Copy python prerequisites file'
14 | copy:
15 | src: ./requirements.txt
16 | dest: "{{ user_path }}/requirements.txt"
17 |
18 | - name: '[INSTALL_CONFIG] [PREREQS] Install python prerequisites'
19 | pip:
20 | requirements: "{{ user_path }}/requirements.txt"
21 |
22 | - name: '[INSTALL_CONFIG] Generate SSH keys'
23 | openssh_keypair:
24 | type: ed25519
25 | path: "{{ user_path }}/.ssh/id_rsa"
26 |
27 | - name: '[INSTALL_CONFIG] Slurp public key'
28 | slurp:
29 | path: "{{ user_path }}/.ssh/id_rsa.pub"
30 | register: idrsapub
31 |
32 |
--------------------------------------------------------------------------------
/roles/common/tests/inventory:
--------------------------------------------------------------------------------
1 | localhost
2 |
3 |
--------------------------------------------------------------------------------
/roles/common/tests/test.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: localhost
3 | remote_user: root
4 | roles:
5 | - common
--------------------------------------------------------------------------------
/roles/common/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # vars file for common
--------------------------------------------------------------------------------
/roles/ocp4-install/README.md:
--------------------------------------------------------------------------------
1 | Role Name
2 | =========
3 |
4 | A brief description of the role goes here.
5 |
6 | Requirements
7 | ------------
8 |
9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
10 |
11 | Role Variables
12 | --------------
13 |
14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
15 |
16 | Dependencies
17 | ------------
18 |
19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
20 |
21 | Example Playbook
22 | ----------------
23 |
24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
25 |
26 | - hosts: servers
27 | roles:
28 | - { role: username.rolename, x: 42 }
29 |
30 | License
31 | -------
32 |
33 | BSD
34 |
35 | Author Information
36 | ------------------
37 |
38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed).
39 |
--------------------------------------------------------------------------------
/roles/ocp4-install/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # defaults file for ocp4-install
--------------------------------------------------------------------------------
/roles/ocp4-install/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # handlers file for ocp4-install
--------------------------------------------------------------------------------
/roles/ocp4-install/meta/main.yml:
--------------------------------------------------------------------------------
1 | galaxy_info:
2 | author: your name
3 | description: your role description
4 | company: your company (optional)
5 |
6 | # If the issue tracker for your role is not on github, uncomment the
7 | # next line and provide a value
8 | # issue_tracker_url: http://example.com/issue/tracker
9 |
10 | # Choose a valid license ID from https://spdx.org - some suggested licenses:
11 | # - BSD-3-Clause (default)
12 | # - MIT
13 | # - GPL-2.0-or-later
14 | # - GPL-3.0-only
15 | # - Apache-2.0
16 | # - CC-BY-4.0
17 | license: license (GPL-2.0-or-later, MIT, etc)
18 |
19 | min_ansible_version: 2.9
20 |
21 | # If this a Container Enabled role, provide the minimum Ansible Container version.
22 | # min_ansible_container_version:
23 |
24 | #
25 | # Provide a list of supported platforms, and for each platform a list of versions.
26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'.
27 | # To view available platforms and versions (or releases), visit:
28 | # https://galaxy.ansible.com/api/v1/platforms/
29 | #
30 | # platforms:
31 | # - name: Fedora
32 | # versions:
33 | # - all
34 | # - 25
35 | # - name: SomePlatform
36 | # versions:
37 | # - all
38 | # - 1.0
39 | # - 7
40 | # - 99.99
41 |
42 | galaxy_tags: []
43 | # List tags for your role here, one per line. A tag is a keyword that describes
44 | # and categorizes the role. Users find roles by searching for tags. Be sure to
45 | # remove the '[]' above, if you add tags to this list.
46 | #
47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
48 | # Maximum 20 tags per role.
49 |
50 | dependencies: []
51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above,
52 | # if you add dependencies to this list.
53 |
--------------------------------------------------------------------------------
/roles/ocp4-install/tasks/create_config.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: '[INSTALL_CONFIG] Generate config install-config.yaml'
4 | template:
5 | src: install-config.yaml.j2
6 | dest: "{{ user_path }}/install-config.yaml"
7 |
8 | - name: '[INSTALL_CONFIG] Make a copy of the cluster install config for backup purposes'
9 | copy:
10 | src: "{{ user_path }}/install-config.yaml"
11 | dest: "{{ user_path }}/install-config.yaml.bck"
12 |
13 |
--------------------------------------------------------------------------------
/roles/ocp4-install/tasks/download.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: '[OCP4-INSTALL] Create a user-writable directory for tools'
4 | file:
5 | name: "{{ user_path }}"
6 | state: directory
7 |
8 | - name: '[OCP4-INSTALL] Download the required ocp4 tooling'
9 | get_url:
10 | url: "{{ var_installer_baseurl }}/{{ pkg }}"
11 | dest: "{{ user_path }}/{{ pkg }}"
12 | loop:
13 | - "{{ var_installer_program }}"
14 | - "{{ var_installer_clienttools }}"
15 | loop_control:
16 | loop_var: pkg
17 | register: ocp4_files
18 |
19 | - name: '[OCP4-INSTALL] Ensure downloaded installers are unarchived'
20 | unarchive:
21 | src: "{{ user_path }}/{{ pkg }}"
22 | dest: "{{ user_path }}"
23 | loop:
24 | - "{{ var_installer_program }}"
25 | - "{{ var_installer_clienttools }}"
26 | loop_control:
27 | loop_var: pkg
28 | when: ocp4_files.changed
29 |
--------------------------------------------------------------------------------
/roles/ocp4-install/tasks/install.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: '[INSTALL_CONFIG] Installing Openshift Cluster...'
4 | shell:
5 | cmd: "{{ user_path }}/openshift-install create cluster --dir {{ user_path }} --log-level debug"
6 | creates: "{{ user_path }}/auth"
7 |
8 | - name: '[INSTALL_CONFIG] Check pid of openshift-install'
9 | pids:
10 | name: openshift-install
11 | register: installer_pids
12 |
13 | - name: '[INSTALL_CONFIG] Wait for the main installer to finish - may take around 25 minutes'
14 | wait_for:
15 | path: "{{ user_path }}/auth/kubeconfig"
16 | state: present
17 | timeout: 5400
18 |
19 | - name: '[INSTALL_CONFIG] Wait for the Bootstrap'
20 | shell:
21 | cmd: "{{ user_path }}/openshift-install wait-for bootstrap-complete --dir {{ user_path }}"
22 |
23 | - name: '[INSTALL_CONFIG] Wait for the cluster'
24 | shell:
25 | cmd: "{{ user_path }}/openshift-install wait-for install-complete --dir {{ user_path }}"
26 |
27 | - name: '[INSTALL_CONFIG] Copy the Kubeconfig to the know location'
28 | copy:
29 | src: "{{ user_path }}/auth/kubeconfig"
30 | dest: "{{ local_kubeconfig }}"
31 | when:
32 | - local_kubeconfig is defined
33 |
34 | - name: '[INSTALL_CONFIG] Gzip Install files'
35 | archive:
36 | path: "{{ user_path }}/{{ item }}"
37 | dest: "{{ tower_path }}/{{ cluster_name }}-{{ ocp_cluster }}-install.gz"
38 | format: gz
39 | loop:
40 | - .openshift_install_state.json
41 | - .openshift_install.log
42 | - terraform.tfvars.json
43 | - terraform.tfstate
44 | - metadata.json
45 | - terraform.aws.auto.tfvars.json
46 | - openshift-install
47 | when:
48 | - tower_used is defined
49 | - tower_used | bool
50 |
51 |
--------------------------------------------------------------------------------
/roles/ocp4-install/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - import_tasks: download.yml
4 |
5 | - import_tasks: create_config.yml
6 |
7 | - import_tasks: install.yml
8 |
9 | - import_tasks: print_info.yml
10 |
11 | #- import_tasks: uninstall.yaml
12 | # when:
13 | # - uninstall_ocp is defined
14 |
--------------------------------------------------------------------------------
/roles/ocp4-install/tasks/print_info.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: '[PRINT-INFO] Get ClusterVersion'
4 | pause:
5 | minutes: 5
6 |
7 | - name: '[PRINT-INFO] Get ClusterVersion'
8 | k8s_info:
9 | kubeconfig: "{{ local_kubeconfig }}"
10 | api_version: config.openshift.io/v1
11 | kind: dns
12 | name: cluster
13 | register: r_cluster_version
14 |
15 |
16 | - name: '[PRINT-INFO] Extract the baseDomain'
17 | set_fact:
18 | ocp4_domain: "apps.{{ r_cluster_version.resources.0.spec.baseDomain }}"
19 |
20 | - name: '[PRINT-INFO] OCP4 Console & API'
21 | set_fact:
22 | ocp4_console: "https://console-openshift-console.{{ ocp4_domain }}"
23 | ocp4_api: "https://api.{{ ocp4_domain }}"
24 |
25 | - name: '[PRINT-INFO] Print Connection Information'
26 | debug:
27 | msg: "{{ item }}"
28 | with_items:
29 | - "user.info: Openshift Master Console: {{ ocp4_console | trim }}"
30 | - "user.info: Openshift API for command line 'oc' client: {{ ocp4_api | trim }}"
31 |
--------------------------------------------------------------------------------
/roles/ocp4-install/templates/install-config.yaml.j2:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | baseDomain: {{ ocp4_base_domain }}
3 | compute:
4 | - hyperthreading: Enabled
5 | name: worker
6 | platform:
7 | {% if cloud_provider == 'ec2' %}
8 | aws:
9 | type: {{ worker_instance_type }}
10 | {% endif %}
11 | replicas: {{ worker_instance_count }}
12 | controlPlane:
13 | hyperthreading: Enabled
14 | name: master
15 | platform:
16 | {% if cloud_provider == 'ec2' %}
17 | aws:
18 | type: {{ master_instance_type }}
19 | {% endif %}
20 | replicas: {{ master_instance_count }}
21 | metadata:
22 | name: {{ cluster_name }}
23 | networking:
24 | clusterNetwork:
25 | - cidr: 10.128.0.0/14
26 | hostPrefix: 23
27 | machineCIDR: {{ machineCIDR }}
28 | networkType: OpenshiftSDN
29 | serviceNetwork:
30 | - 172.30.0.0/16
31 | platform:
32 | {% if cloud_provider == 'ec2' %}
33 | aws:
34 | region: {{ aws_region }}
35 | {% endif %}
36 | publish: External
37 | pullSecret: '{{ ocp4_pull_secret | replace("'",'"') }}'
38 | sshKey: |
39 | {{ idrsapub.content | b64decode }}
40 |
--------------------------------------------------------------------------------
/roles/ocp4-install/tests/inventory:
--------------------------------------------------------------------------------
1 | localhost
2 |
3 |
--------------------------------------------------------------------------------
/roles/ocp4-install/tests/test.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: localhost
3 | remote_user: root
4 | roles:
5 | - ocp4-install
--------------------------------------------------------------------------------
/roles/ocp4-install/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # vars file for ocp4-install
3 | var_installer_baseurl: 'https://mirror.openshift.com/pub/openshift-v4/clients/ocp/{{ ocp4_version }}'
4 | var_installer_program: 'openshift-install-linux-{{ ocp4_version }}.tar.gz'
5 | var_installer_clienttools: 'openshift-client-linux-{{ ocp4_version }}.tar.gz'
6 |
--------------------------------------------------------------------------------
/roles/ocp4-post-acs/defaults/main.yml:
--------------------------------------------------------------------------------
1 | become_override: false
2 | ocp_username: kubeadmin
3 |
4 | #stackrox_central_admin_password: IM_IN_VAULT
5 |
6 |
--------------------------------------------------------------------------------
/roles/ocp4-post-acs/tasks/central.yml:
--------------------------------------------------------------------------------
1 | - name: Add helm repo
2 | kubernetes.core.helm_repository:
3 | name: rhacs
4 | url: "https://mirror.openshift.com/pub/rhacs/charts/"
5 |
6 | - name: Deploy Central
7 | kubernetes.core.helm:
8 | kubeconfig: "{{ kubeconfig }}"
9 | name: stackrox-central-services
10 | chart_ref: rhacs/central-services
11 | release_namespace: stackrox
12 | values: "{{ lookup('template', 'templates/central.yml.j2') | from_yaml }}"
13 | create_namespace: true
14 |
15 | - name: Get central route
16 | kubernetes.core.k8s_info:
17 | kubeconfig: "{{ kubeconfig }}"
18 | kind: Route
19 | api_version: route.openshift.io/v1
20 | namespace: stackrox
21 | name: central
22 | register: r_stackrox_central_route
23 | retries: 10
24 | delay: 20
25 |
26 | - name: Store central route as a fact
27 | set_fact:
28 | f_stackrox_central_addr: "{{ r_stackrox_central_route.resources[0].spec.host }}"
29 |
30 | - name: Wait for Central availability
31 | uri:
32 | url: "https://{{ f_stackrox_central_addr }}/v1/ping"
33 | method: GET
34 | user: admin
35 | password: "{{ stackrox_central_admin_password }}"
36 | force_basic_auth: true
37 | validate_certs: false
38 | register: result
39 | until: result.status == 200
40 | retries: 15
41 | delay: 20
42 |
--------------------------------------------------------------------------------
/roles/ocp4-post-acs/tasks/main.yml:
--------------------------------------------------------------------------------
1 |
2 | - import_tasks: central.yml
3 | - import_tasks: sensor.yml
4 |
--------------------------------------------------------------------------------
/roles/ocp4-post-acs/tasks/sensor.yml:
--------------------------------------------------------------------------------
1 | - name: Get cluster init bundle
2 | uri:
3 | url: "https://{{ f_stackrox_central_addr }}/v1/cluster-init/init-bundles"
4 | body: "{ \"name\": \"prod-{{ lookup('password', '/dev/null chars=ascii_lowercase,digits length=8') }}\"}"
5 | method: POST
6 | user: admin
7 | password: "{{ stackrox_central_admin_password }}"
8 | body_format: json
9 | force_basic_auth: true
10 | validate_certs: false
11 | register: r_stackrox_cluster_init_response
12 |
13 | - name: Deploy cluster package
14 | kubernetes.core.helm:
15 | kubeconfig: "{{ kubeconfig }}"
16 | name: stackrox-secured-cluster-services
17 | chart_ref: rhacs/secured-cluster-services
18 | release_namespace: stackrox
19 | values: "{{ lookup('template', 'templates/cluster.yml.j2')| from_yaml }}"
20 | create_namespace: true
21 |
22 | - name: Wait for ready sensor
23 | kubernetes.core.k8s_info:
24 | kubeconfig: "{{ kubeconfig }}"
25 | name: sensor
26 | kind: Deployment
27 | api_version: apps/v1
28 | namespace: stackrox
29 | register: r_stackrox_sensor_deployment
30 | until:
31 | - r_stackrox_sensor_deployment.resources[0].status.readyReplicas is defined
32 | - r_stackrox_sensor_deployment.resources[0].status.readyReplicas | int >= 1
33 | delay: 20
34 | retries: 15
35 |
36 | - name: Determine number of collectors
37 | kubernetes.core.k8s_info:
38 | kubeconfig: "{{ kubeconfig }}"
39 | name: collector
40 | kind: DaemonSet
41 | api_version: apps/v1
42 | namespace: stackrox
43 | register: r_stackrox_collector_daemonset
44 | until: r_stackrox_collector_daemonset.resources[0].status.desiredNumberScheduled is defined
45 |
46 | - name: Wait for collectors
47 | kubernetes.core.k8s_info:
48 | kubeconfig: "{{ kubeconfig }}"
49 | name: collector
50 | kind: DaemonSet
51 | api_version: apps/v1
52 | namespace: stackrox
53 | register: r_stackrox_collector_daemonset
54 | until:
55 | - r_stackrox_collector_daemonset.resources[0].status.numberReady is defined
56 | # yamllint disable-line rule:line-length
57 | - r_stackrox_collector_daemonset.resources[0].status.numberReady | int == r_stackrox_collector_daemonset.resources[0].status.desiredNumberScheduled | int
58 | delay: 20
59 | retries: 15
60 |
--------------------------------------------------------------------------------
/roles/ocp4-post-acs/templates/central.yml.j2:
--------------------------------------------------------------------------------
1 | # Configuration secrets for the Central deployment
2 | central:
3 | adminPassword:
4 | value: {{ stackrox_central_admin_password }}
5 | exposure:
6 | route:
7 | enabled: true
8 |
9 | #Scanner
10 |
11 | imagePullSecrets:
12 | allowNone: true
13 |
--------------------------------------------------------------------------------
/roles/ocp4-post-acs/templates/cluster.yml.j2:
--------------------------------------------------------------------------------
1 | imagePullSecrets:
2 | allowNone: true
3 |
4 | clusterName: "production"
5 |
6 | centralEndpoint: "{{ f_stackrox_central_addr }}:443"
7 |
8 | collector:
9 | collectionMethod: KERNEL_MODULE
10 | disableTaintTolerations: false
11 | slimMode: true
12 |
13 | helmManaged: true
14 |
15 | {{ r_stackrox_cluster_init_response.json.helmValuesBundle | b64decode | replace("admissionControl:", "admissionControl:
16 | dynamic:
17 | disableBypass: false
18 | enforceOnCreates: true
19 | enforceOnUpdates: true
20 | scanInline: false
21 | timeout: 3
22 | listenOnCreates: true
23 | listenOnEvents: true
24 | listenOnUpdates: true") }}
25 |
--------------------------------------------------------------------------------
/roles/ocp4-post-argocd/README.md:
--------------------------------------------------------------------------------
1 | Role Name
2 | =========
3 |
4 | A brief description of the role goes here.
5 |
6 | Requirements
7 | ------------
8 |
9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
10 |
11 | Role Variables
12 | --------------
13 |
14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
15 |
16 | Dependencies
17 | ------------
18 |
19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
20 |
21 | Example Playbook
22 | ----------------
23 |
24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
25 |
26 | - hosts: servers
27 | roles:
28 | - { role: username.rolename, x: 42 }
29 |
30 | License
31 | -------
32 |
33 | BSD
34 |
35 | Author Information
36 | ------------------
37 |
38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed).
39 |
--------------------------------------------------------------------------------
/roles/ocp4-post-argocd/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # defaults file for ocp4-post-argocd
--------------------------------------------------------------------------------
/roles/ocp4-post-argocd/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # handlers file for ocp4-post-argocd
--------------------------------------------------------------------------------
/roles/ocp4-post-argocd/meta/main.yml:
--------------------------------------------------------------------------------
1 | galaxy_info:
2 | author: your name
3 | description: your role description
4 | company: your company (optional)
5 |
6 | # If the issue tracker for your role is not on github, uncomment the
7 | # next line and provide a value
8 | # issue_tracker_url: http://example.com/issue/tracker
9 |
10 | # Choose a valid license ID from https://spdx.org - some suggested licenses:
11 | # - BSD-3-Clause (default)
12 | # - MIT
13 | # - GPL-2.0-or-later
14 | # - GPL-3.0-only
15 | # - Apache-2.0
16 | # - CC-BY-4.0
17 | license: license (GPL-2.0-or-later, MIT, etc)
18 |
19 | min_ansible_version: 2.9
20 |
21 | # If this a Container Enabled role, provide the minimum Ansible Container version.
22 | # min_ansible_container_version:
23 |
24 | #
25 | # Provide a list of supported platforms, and for each platform a list of versions.
26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'.
27 | # To view available platforms and versions (or releases), visit:
28 | # https://galaxy.ansible.com/api/v1/platforms/
29 | #
30 | # platforms:
31 | # - name: Fedora
32 | # versions:
33 | # - all
34 | # - 25
35 | # - name: SomePlatform
36 | # versions:
37 | # - all
38 | # - 1.0
39 | # - 7
40 | # - 99.99
41 |
42 | galaxy_tags: []
43 | # List tags for your role here, one per line. A tag is a keyword that describes
44 | # and categorizes the role. Users find roles by searching for tags. Be sure to
45 | # remove the '[]' above, if you add tags to this list.
46 | #
47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
48 | # Maximum 20 tags per role.
49 |
50 | dependencies: []
51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above,
52 | # if you add dependencies to this list.
53 |
--------------------------------------------------------------------------------
/roles/ocp4-post-argocd/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # tasks file for ocp_argocd
3 | - name: '[POSTINSTALL][ARGOCD] Ensure namespace exists'
4 | k8s:
5 | kubeconfig: "{{ kubeconfig }}"
6 | state: present
7 | api_version: v1
8 | kind: Namespace
9 | name: argocd
10 |
11 | - name: '[POSTINSTALL][ARGOCD] Ensure directory exists'
12 | file:
13 | path: "{{ user_path }}/argocd"
14 | state: directory
15 |
16 | #- name: '[POSTINSTALL][ARGOCD] Download argocd install.yaml'
17 | # get_url:
18 | # url: https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
19 | # dest: "{{ user_path}}/argocd/"
20 | # register: argocd_download
21 |
22 | - name: '[POSTINSTALL][ARGOCD] Download argocd client'
23 | get_url:
24 | url: https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64
25 | dest: "{{ user_path}}/argocd/"
26 | register: argocd_client
27 | when: argoclient | bool
28 |
29 | #- name: '[POSTINSTALL][ARGOCD] Create Objects'
30 | # k8s:
31 | # kubeconfig: "{{ kubeconfig }}"
32 | # state: present
33 | # namespace: argocd
34 | # src: "{{ argocd_download.dest }}"
35 |
36 | - name: '[POSTINSTALL][ARGOCD] Create Argocd Namespace'
37 | k8s:
38 | kubeconfig: "{{ kubeconfig }}"
39 | state: present
40 | definition: "{{ lookup('template', 'argo-ns.yaml') }}"
41 |
42 | - name: '[POSTINSTALL][ARGOCD] Create Argocd OperatorGroup'
43 | k8s:
44 | kubeconfig: "{{ kubeconfig }}"
45 | state: present
46 | definition: "{{ lookup('template', 'argo-og.yaml') }}"
47 |
48 | # Grab the CLO Channel if is not defined in vars.yml
49 | - name: '[POSTINSTALL][LOGGING] Get available Argo channels'
50 | k8s_info:
51 | kubeconfig: "{{ kubeconfig }}"
52 | name: "argocd-operator"
53 | kind: "PackageManifest"
54 | namespace: "argocd"
55 | register: argo_manifest
56 |
57 | - debug:
58 | msg: "{{ argo_manifest }}"
59 |
60 | - name: '[POSTINSTALL][LOGGING] Set local var'
61 | set_fact:
62 | argo_channel: "{{ argo_manifest.resources[0].status.channels[0].currentCSV }}"
63 |
64 | - debug:
65 | msg: "{{ argo_channel }}"
66 |
67 | - name: '[POSTINSTALL][ARGOCD] Create Argocd Subs'
68 | k8s:
69 | kubeconfig: "{{ kubeconfig }}"
70 | state: present
71 | definition: "{{ lookup('template', 'argo-sub.yaml') }}"
72 |
73 | - name: '[POSTINSTALL][ARGOCD]Wait for ArgoCD CRD to exist'
74 | k8s_info:
75 | kubeconfig: "{{ kubeconfig }}"
76 | api_version: "apiextensions.k8s.io/v1"
77 | kind: CustomResourceDefinition
78 | name: "{{ item }}"
79 | loop:
80 | - argocds.argoproj.io
81 | - argocdexports.argoproj.io
82 | - applications.argoproj.io
83 | - appprojects.argoproj.io
84 | register: crds
85 | until: crds.resources|length > 0
86 | retries: 30
87 | delay: 10
88 |
89 | - name: '[POSTINSTALL][ARGOCD] Create Argocd Subs'
90 | k8s:
91 | kubeconfig: "{{ kubeconfig }}"
92 | state: present
93 | definition: "{{ lookup('template', 'argo-install.yaml') }}"
94 |
95 | - name: '[POSTINSTALL][ARGOCD] Create route for Argocd Server'
96 | k8s:
97 | kubeconfig: "{{ kubeconfig }}"
98 | state: present
99 | definition:
100 | apiVersion: v1
101 | kind: Route
102 | metadata:
103 | name: argocd-server
104 | namespace: argocd
105 | spec:
106 | to:
107 | kind: Service
108 | name: argocd-server
109 | tls:
110 | termination: passthrough
111 |
--------------------------------------------------------------------------------
/roles/ocp4-post-argocd/templates/argo-install.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: argoproj.io/v1alpha1
2 | kind: ArgoCD
3 | metadata:
4 | name: argocd
5 | namespace: argocd
6 | spec: {}
7 |
8 |
--------------------------------------------------------------------------------
/roles/ocp4-post-argocd/templates/argo-ns.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: argocd
5 |
--------------------------------------------------------------------------------
/roles/ocp4-post-argocd/templates/argo-og.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: operators.coreos.com/v1
2 | kind: OperatorGroup
3 | metadata:
4 | name: argocd
5 | namespace: argocd
6 | spec:
7 | targetNamespaces:
8 | - argocd
9 |
--------------------------------------------------------------------------------
/roles/ocp4-post-argocd/templates/argo-sub.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: operators.coreos.com/v1alpha1
2 | kind: Subscription
3 | metadata:
4 | name: argocd-operator
5 | namespace: argocd
6 | spec:
7 | channel: alpha
8 | installPlanApproval: Automatic
9 | name: argocd-operator
10 | source: community-operators
11 | sourceNamespace: openshift-marketplace
12 | startingCSV: {{ argo_channel }}
13 |
--------------------------------------------------------------------------------
/roles/ocp4-post-argocd/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # vars file for ocp4-post-argocd
--------------------------------------------------------------------------------
/roles/ocp4-post-cert-manager/.travis.yml:
--------------------------------------------------------------------------------
1 | ---
2 | language: python
3 | python: "2.7"
4 |
5 | # Use the new container infrastructure
6 | sudo: false
7 |
8 | # Install ansible
9 | addons:
10 | apt:
11 | packages:
12 | - python-pip
13 |
14 | install:
15 | # Install ansible
16 | - pip install ansible
17 |
18 | # Check ansible version
19 | - ansible --version
20 |
21 | # Create ansible.cfg with correct roles_path
22 | - printf '[defaults]\nroles_path=../' >ansible.cfg
23 |
24 | script:
25 | # Basic role syntax check
26 | - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
27 |
28 | notifications:
29 | webhooks: https://galaxy.ansible.com/api/v1/notifications/
--------------------------------------------------------------------------------
/roles/ocp4-post-cert-manager/files/cert-manager-dns.yml:
--------------------------------------------------------------------------------
1 | spec:
2 | template:
3 | spec:
4 | dnsConfig:
5 | nameservers:
6 | - "8.8.8.8"
7 | dnsPolicy: None
8 |
--------------------------------------------------------------------------------
/roles/ocp4-post-cert-manager/files/cert-patch-ingress-operator.yml:
--------------------------------------------------------------------------------
1 | spec:
2 | defaultCertificate:
3 | name: {{ cmanager_default_certificate }}-cert-manager
4 |
--------------------------------------------------------------------------------
/roles/ocp4-post-cert-manager/files/cert_aws_key_new.yml:
--------------------------------------------------------------------------------
1 | apiVersion: cloudcredential.openshift.io/v1
2 | kind: CredentialsRequest
3 | metadata:
4 | name: certmanager
5 | namespace: openshift-cloud-credential-operator
6 | spec:
7 | secretRef:
8 | name: certmanager-aws-key
9 | namespace: openshift-ingress
10 | providerSpec:
11 | apiVersion: cloudcredential.openshift.io/v1
12 | kind: AWSProviderSpec
13 | statementEntries:
14 | - effect: Allow
15 | action:
16 | - route53:GetChange
17 | resource: "arn:aws:route53:::change/*"
18 | - effect: Allow
19 | action:
20 | - route53:ChangeResourceRecordSets
21 | - route53:ListResourceRecordSets
22 | resource: "arn:aws:route53:::hostedzone/*"
23 | - effect: Allow
24 | action:
25 | - route53:ListHostedZonesByName
26 | - route53:ListHostedZones
27 | resource: "*"
28 |
29 |
--------------------------------------------------------------------------------
/roles/ocp4-post-cert-manager/tasks/aws_credentials.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: 'Create aws credentials'
3 | k8s:
4 | kubeconfig: "{{ kubeconfig }}"
5 | state: present
6 | definition: "{{ lookup('file', item ) | from_yaml }}"
7 | loop:
8 | - ./files/cert_aws_key_new.yml
9 |
10 | - pause:
11 | seconds: 10
12 |
13 | - name: get keys from certmanager-aws
14 | k8s_info:
15 | kubeconfig: "{{ kubeconfig }}"
16 | kind: secret
17 | name: certmanager-aws-key
18 | namespace: openshift-ingress
19 | register: aws_credentials
20 |
21 | - name: '{{ cmanager_label }} Set facts aws_access_key_id '
22 | set_fact:
23 | aws_access_key_id: "{{ aws_credentials.resources.0.data.aws_access_key_id | b64decode }}"
24 | aws_secret_access_key: "{{ aws_credentials.resources.0.data.aws_secret_access_key | b64decode }}"
25 |
26 | - name: '{{ cmanager_label }} get hosted zones'
27 | route53_info:
28 | aws_access_key: "{{ aws_access_key_id }}"
29 | aws_secret_key: "{{ aws_secret_access_key }}"
30 | query: hosted_zone
31 | register: hosted_zones
32 |
33 | - name: '{{ cmanager_label }} set name_zone'
34 | set_fact:
35 | name_zone: "{{ ocp4_dnszone }}."
36 | base_zone: "{{ ocp4_base_domain }}."
37 |
38 | - debug:
39 | msg: "{{ name_zone }} {{ base_zone }}"
40 |
41 | - name: '{{ cmanager_label }} get hosted zones'
42 | set_fact:
43 | host_zone_id: '{{ item.Id }}'
44 | loop: "{{ hosted_zones.HostedZones }}"
45 | when: ( item.Name == name_zone or item.Name== base_zone) and (not item.Config.PrivateZone | bool())
46 |
47 | - debug:
48 | msg: '{{ host_zone_id }}'
49 |
50 |
--------------------------------------------------------------------------------
/roles/ocp4-post-cert-manager/tasks/certificates.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: '{{ cmanager_label }} Installing Certificates on route'
3 | k8s:
4 | kubeconfig: "{{ kubeconfig }}"
5 | state: present
6 | definition: "{{ lookup('template','./templates/certificates.yml.j2' ) | from_yaml }}"
7 | loop: '{{ cmanager_cert_routes }}'
8 |
9 | - name: '{{ cmanager_label }} Patch default certificate'
10 | k8s:
11 | kubeconfig: "{{ kubeconfig }}"
12 | kind: ingresscontroller
13 | api_version: operator.openshift.io/v1
14 | name: default
15 | namespace: openshift-ingress-operator
16 | kubeconfig: "{{ kubeconfig }}"
17 | definition: "{{ lookup('template', './files/cert-patch-ingress-operator.yml' ) | from_yaml }}"
18 |
19 |
20 |
21 |
--------------------------------------------------------------------------------
/roles/ocp4-post-cert-manager/tasks/certmanager_issuer.yml:
--------------------------------------------------------------------------------
1 |
2 | - name: '{{ cmanager_label }} Install Issuer DNS challenger'
3 | k8s:
4 | kubeconfig: "{{ kubeconfig }}"
5 | state: present
6 | definition: "{{ lookup('template', item ) | from_yaml }}"
7 | loop:
8 | - ./templates/issuer.yml.j2
9 |
10 |
--------------------------------------------------------------------------------
/roles/ocp4-post-cert-manager/tasks/certmanager_operator.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: '{{ cmanager_label }} Install namespace'
4 | k8s:
5 | kubeconfig: "{{ kubeconfig }}"
6 | state: present
7 | definition: "{{ lookup('template', item ) | from_yaml }}"
8 | loop:
9 | - ./templates/ns.yml.j2
10 |
11 |
12 | - name: "{{ cmanager_label }} Add stable chart repo"
13 | community.kubernetes.helm_repository:
14 | name: jetstack
15 | repo_url: "https://charts.jetstack.io"
16 | environment:
17 | K8S_AUTH_CONTEXT: "{{ kubeconfig }}"
18 |
19 |
20 | - name: "{{ cmanager_label }} Get certmanager CRDs"
21 | get_url:
22 | url: "https://github.com/jetstack/cert-manager/releases/download/{{ cmanager_chart_version }}/cert-manager.crds.yaml"
23 | dest: "{{user_path}}/certMancrd.yaml"
24 |
25 |
26 | - name: "{{ cmanager_label }} Add certmanager CRDs"
27 | k8s:
28 | kubeconfig: "{{ kubeconfig }}"
29 | state: present
30 | definition: "{{ lookup('file', '{{user_path}}/certMancrd.yaml') }}"
31 |
32 |
33 | - name: '{{ cmanager_label }} Deploy certmanager'
34 | community.kubernetes.helm:
35 | kubeconfig: "{{ kubeconfig }}"
36 | name: cert-manager
37 | namespace: "{{ cmanager_namespace }}"
38 | chart_ref: jetstack/cert-manager
39 | chart_version: '{{ cmanager_chart_version }}'
40 | release_state: '{{ cmanager_state }}'
41 | wait: yes
42 | values:
43 | replicas: 3
44 | register: operator
45 |
46 | - name: '{{ cmanager_label }} Waiting running pods'
47 | pause:
48 | seconds: 30
49 |
50 | - name: '{{ cmanager_label }} Reach Dns Challenge adding dns nameserver'
51 | k8s:
52 | kubeconfig: "{{ kubeconfig }}"
53 | api_version: apps/v1
54 | kind: Deployment
55 | name: cert-manager
56 | namespace: "{{ cmanager_namespace }}"
57 | definition: "{{ lookup('file', item ) | from_yaml }}"
58 | merge_type: merge
59 | loop:
60 | - ./files/cert-manager-dns.yml
61 |
--------------------------------------------------------------------------------
/roles/ocp4-post-cert-manager/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # tasks file for ocp4-post-cert-manager
3 |
4 | - import_tasks: aws_credentials.yml
5 | - import_tasks: certmanager_operator.yml
6 | - import_tasks: certmanager_issuer.yml
7 | - import_tasks: certificates.yml
8 | - import_tasks: test.yml
9 |
--------------------------------------------------------------------------------
/roles/ocp4-post-cert-manager/tasks/test.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Test certificates Retries 5 times every 30 seconds
4 | k8s_info:
5 | api_version: cert-manager.io/v1
6 | kubeconfig: "{{ kubeconfig }}"
7 | kind: certificate
8 | namespace: openshift-ingress
9 | retries: 10
10 | delay: 30
11 | register: web_service
12 | until: web_service.resources.0.status.conditions.0.status == 'True'
13 |
14 | - debug:
15 | msg: "match to true"
16 | when: item.status.conditions.0.status is match('True')
17 | with_items: "{{ web_service.resources }}"
18 |
--------------------------------------------------------------------------------
/roles/ocp4-post-cert-manager/templates/certificate.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: cert-manager.io/v1alpha2
2 | kind: Certificate
3 | metadata:
4 | name: {{ cmanager_router_name }}-cert-managed
5 | namespace: openshift-ingress
6 | labels:
7 | router_name: {{ cmanager_router_name }}
8 | spec:
9 | secretName: {{ cmanager_router_name }}-cert-managed
10 | issuerRef:
11 | name: letsencrypt-aws
12 | kind: Issuer
13 | commonName: "*.{{ cmanager_hosted_domain }}"
14 | dnsNames:
15 | - "*.{{ cmanager_hosted_domain }}"
16 | acme:
17 | config:
18 | - dns01:
19 | provider: dns
20 | domains:
21 | - "*.{{ cmanager_hosted_domain }}"
22 |
--------------------------------------------------------------------------------
/roles/ocp4-post-cert-manager/templates/certificates.yml.j2:
--------------------------------------------------------------------------------
1 | apiVersion: cert-manager.io/v1
2 | kind: Certificate
3 | metadata:
4 | name: {{ item.route_name }}-cert-managed
5 | namespace: openshift-ingress
6 | labels:
7 | router_name: {{ item.route_name }}
8 | spec:
9 | secretName: {{ item.route_name }}-cert-manager
10 | issuerRef:
11 | name: letsencrypt-aws
12 | dnsNames:
13 | - "*.{{ item.hostname }}"
14 |
--------------------------------------------------------------------------------
/roles/ocp4-post-cert-manager/templates/issuer.yml.j2:
--------------------------------------------------------------------------------
1 | apiVersion: cert-manager.io/v1
2 | kind: Issuer
3 | metadata:
4 | name: letsencrypt-aws
5 | namespace: openshift-ingress
6 | spec:
7 | acme:
8 | email: {{ cmanager_email_admin }}
9 | server: https://acme-v02.api.letsencrypt.org/directory
10 | privateKeySecretRef:
11 | name: issuer
12 | solvers:
13 | - selector: {}
14 | dns01:
15 | route53:
16 | region: {{ cmanager_aws_region }}
17 | accessKeyID: {{ aws_access_key_id }}
18 | hostedZoneID: {{ host_zone_id }}
19 | secretAccessKeySecretRef:
20 | key: aws_secret_access_key
21 | name: certmanager-aws-key
22 |
--------------------------------------------------------------------------------
/roles/ocp4-post-cert-manager/templates/ns.yml.j2:
--------------------------------------------------------------------------------
1 | ---
2 | - kind: Namespace
3 | apiVersion: v1
4 | metadata:
5 | labels:
6 | certmanager.k8s.io/disable-validation: 'true'
7 | manager: cluster-policy-controller
8 | annotations:
9 | openshift.io/description: {{ cmanager_namespace }}
10 | openshift.io/display-name: {{ cmanager_namespace }}
11 | openshift.io/node-selector: node-role.kubernetes.io/{{ cmanager_nodeselector }}=
12 | name: {{ cmanager_namespace }}
13 |
14 |
--------------------------------------------------------------------------------
/roles/ocp4-post-cluster-autoscale/.travis.yml:
--------------------------------------------------------------------------------
1 | ---
2 | language: python
3 | python: "2.7"
4 |
5 | # Use the new container infrastructure
6 | sudo: false
7 |
8 | # Install ansible
9 | addons:
10 | apt:
11 | packages:
12 | - python-pip
13 |
14 | install:
15 | # Install ansible
16 | - pip install ansible
17 |
18 | # Check ansible version
19 | - ansible --version
20 |
21 | # Create ansible.cfg with correct roles_path
22 | - printf '[defaults]\nroles_path=../' >ansible.cfg
23 |
24 | script:
25 | # Basic role syntax check
26 | - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
27 |
28 | notifications:
29 | webhooks: https://galaxy.ansible.com/api/v1/notifications/
--------------------------------------------------------------------------------
/roles/ocp4-post-cluster-autoscale/README.md:
--------------------------------------------------------------------------------
1 | Role Name
2 | =========
3 |
4 | A brief description of the role goes here.
5 |
6 | Requirements
7 | ------------
8 |
9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
10 |
11 | Role Variables
12 | --------------
13 |
14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
15 |
16 | Dependencies
17 | ------------
18 |
19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
20 |
21 | Example Playbook
22 | ----------------
23 |
24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
25 |
26 | - hosts: servers
27 | roles:
28 | - { role: username.rolename, x: 42 }
29 |
30 | License
31 | -------
32 |
33 | BSD
34 |
35 | Author Information
36 | ------------------
37 |
38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed).
39 |
--------------------------------------------------------------------------------
/roles/ocp4-post-cluster-autoscale/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # defaults file for ocp4-post-cluster-autoscale
3 |
4 | _autoscale_machineset_min_replicas: 1
5 | _autoscale_machineset_max_replicas: 4
6 | _autoscale_cluster_max_replicas: 12
7 | _autoscale_cluster_enable_scaledown: true
8 |
--------------------------------------------------------------------------------
/roles/ocp4-post-cluster-autoscale/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # tasks file for ocp4-post-cluster-autoscale
3 |
4 | ---
5 | # Implement your Workload deployment tasks here
6 | - name: get current machinesets
7 | k8s_info:
8 | api_version: machine.openshift.io/v1beta1
9 | kind: MachineSet
10 | namespace: openshift-machine-api
11 | register: r_machinesets_list
12 |
13 | - name: create machine autoscaler for each machineset
14 | k8s:
15 | state: present
16 | definition:
17 | apiVersion: "autoscaling.openshift.io/v1beta1"
18 | kind: MachineAutoscaler
19 | metadata:
20 | name: "autoscale-{{ item.metadata.name }}"
21 | namespace: "openshift-machine-api"
22 | spec:
23 | minReplicas: "{{ _autoscale_machineset_min_replicas }}"
24 | maxReplicas: "{{ _autoscale_machineset_max_replicas }}"
25 | scaleTargetRef:
26 | apiVersion: "machine.openshift.io/v1beta1"
27 | kind: MachineSet
28 | name: "{{ item.metadata.name }}"
29 | with_items: "{{ r_machinesets_list.resources }}"
30 |
31 | - name: create the cluster autoscaler
32 | k8s:
33 | state: present
34 | definition:
35 | apiVersion: "autoscaling.openshift.io/v1"
36 | kind: "ClusterAutoscaler"
37 | metadata:
38 | name: "default"
39 | spec:
40 | resourceLimits:
41 | maxNodesTotal: "{{ _autoscale_cluster_max_replicas }}"
42 | scaleDown:
43 | enabled: "{{ _autoscale_cluster_enable_scaledown }}"
44 | delayAfterAdd: 120s
45 | delayAfterDelete: 120s
46 | delayAfterFailure: 120s
47 |
--------------------------------------------------------------------------------
/roles/ocp4-post-infra-nodes/README.md:
--------------------------------------------------------------------------------
1 | Role Name
2 | =========
3 |
4 | A brief description of the role goes here.
5 |
6 | Requirements
7 | ------------
8 |
9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
10 |
11 | Role Variables
12 | --------------
13 |
14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
15 |
16 | Dependencies
17 | ------------
18 |
19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
20 |
21 | Example Playbook
22 | ----------------
23 |
24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
25 |
26 | - hosts: servers
27 | roles:
28 | - { role: username.rolename, x: 42 }
29 |
30 | License
31 | -------
32 |
33 | BSD
34 |
35 | Author Information
36 | ------------------
37 |
38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed).
39 |
--------------------------------------------------------------------------------
/roles/ocp4-post-infra-nodes/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # defaults file for ocp4-post-infra-nodes
3 | zone_suffixes:
4 | - a
5 | - b
6 | - c
7 |
8 | infra_node_replicas: 3
9 |
--------------------------------------------------------------------------------
/roles/ocp4-post-infra-nodes/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # handlers file for ocp4-post-infra-nodes
--------------------------------------------------------------------------------
/roles/ocp4-post-infra-nodes/meta/main.yml:
--------------------------------------------------------------------------------
1 | galaxy_info:
2 | author: your name
3 | description: your role description
4 | company: your company (optional)
5 |
6 | # If the issue tracker for your role is not on github, uncomment the
7 | # next line and provide a value
8 | # issue_tracker_url: http://example.com/issue/tracker
9 |
10 | # Choose a valid license ID from https://spdx.org - some suggested licenses:
11 | # - BSD-3-Clause (default)
12 | # - MIT
13 | # - GPL-2.0-or-later
14 | # - GPL-3.0-only
15 | # - Apache-2.0
16 | # - CC-BY-4.0
17 | license: license (GPL-2.0-or-later, MIT, etc)
18 |
19 | min_ansible_version: 2.9
20 |
21 | # If this a Container Enabled role, provide the minimum Ansible Container version.
22 | # min_ansible_container_version:
23 |
24 | #
25 | # Provide a list of supported platforms, and for each platform a list of versions.
26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'.
27 | # To view available platforms and versions (or releases), visit:
28 | # https://galaxy.ansible.com/api/v1/platforms/
29 | #
30 | # platforms:
31 | # - name: Fedora
32 | # versions:
33 | # - all
34 | # - 25
35 | # - name: SomePlatform
36 | # versions:
37 | # - all
38 | # - 1.0
39 | # - 7
40 | # - 99.99
41 |
42 | galaxy_tags: []
43 | # List tags for your role here, one per line. A tag is a keyword that describes
44 | # and categorizes the role. Users find roles by searching for tags. Be sure to
45 | # remove the '[]' above, if you add tags to this list.
46 | #
47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
48 | # Maximum 20 tags per role.
49 |
50 | dependencies: []
51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above,
52 | # if you add dependencies to this list.
53 |
--------------------------------------------------------------------------------
/roles/ocp4-post-infra-nodes/tasks/async.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | #- name: wait for the status of the servicemesh subscription to not be empty
4 | # k8s_info:
5 | # api_version: operators.coreos.com/v1alpha1
6 | # kind: Subscription
7 | # name: service-mesh-operator
8 | # namespace: service-mesh-operators
9 | # register: operator_subscription_out
10 | # until:
11 | # - operator_subscription_out is defined
12 | # - operator_subscription_out.resources is defined
13 | # - operator_subscription_out.resources[0] is defined
14 | # - operator_subscription_out.resources[0].status is defined
15 | # - operator_subscription_out.resources[0].status.installplan is defined
16 | # retries: 30
17 | # delay: 20
18 |
--------------------------------------------------------------------------------
/roles/ocp4-post-infra-nodes/tasks/elk-nodes.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: '[POSTINSTALL][INFRA-NODES] Grab some global cluster trivia for git to use'
4 | k8s_info:
5 | kubeconfig: "{{ kubeconfig }}"
6 | api_version: config.openshift.io/v1
7 | kind: Infrastructure
8 | name: cluster
9 | register: infradata
10 |
11 | - name: '[POSTINSTALL][INFRA-NODES] Deploy Infra EFK Nodes MachineSet'
12 | vars:
13 | instance_type: r5.xlarge
14 | node_labels:
15 | - infra
16 | - infra-efk
17 | zone_suffixes:
18 | - a
19 | - b
20 | - c
21 | name_identifier: infra-efk
22 | include_role:
23 | name: machineset
24 |
25 | - name: '[POSTINSTALL][INFRA-NODES] Wait for Elasticsearch Nodes to be available'
26 | when: _infra_node_elasticsearch_nodes | d(False) | bool
27 | k8s_info:
28 | api_version: v1
29 | kind: Node
30 | label_selectors:
31 | - node-role.kubernetes.io/elasticsearch =
32 | register: r_es_nodes
33 | until:
34 | - r_es_nodes.resources | length | int == _infra_node_elasticsearch_replicas | int
35 | delay: 30
36 | retries: 15
37 |
--------------------------------------------------------------------------------
/roles/ocp4-post-infra-nodes/tasks/infra-nodes.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: '[POSTINSTALL][INFRA-NODES] Grab some global cluster trivia for git to use'
4 | k8s_info:
5 | kubeconfig: "{{ kubeconfig }}"
6 | api_version: config.openshift.io/v1
7 | kind: Infrastructure
8 | name: cluster
9 | register: infradata
10 |
11 | - name: '[POSTINSTALL][INFRA-NODES] Deploy Infra Nodes MachineSet'
12 | vars:
13 | instance_type: "{{ infra_instance_type }}"
14 | disk_size: "{{ infra_disk_size }}"
15 | node_labels:
16 | - "{{ infra_label }}"
17 | zone_suffixes:
18 | - a
19 | - b
20 | - c
21 | name_identifier: "{{ infra_label }}"
22 | include_role:
23 | name: ocp4-post-machinesets
24 |
25 | - name: '[POSTINSTALL][INFRA-NODES] Wait for Infra Nodes to be available'
26 | k8s_info:
27 | kubeconfig: "{{ kubeconfig }}"
28 | api_version: v1
29 | kind: Node
30 | label_selectors:
31 | - node-role.kubernetes.io/infra =
32 | register: r_infra_nodes
33 | until:
34 | - r_infra_nodes.resources | length | int == infra_node_replicas | int
35 | delay: 30
36 | retries: 15
37 |
38 | - name: '[POSTINSTALL][INFRA-NODES] Get ClusterVersion'
39 | k8s_info:
40 | kubeconfig: "{{ kubeconfig }}"
41 | api_version: config.openshift.io/v1
42 | kind: ClusterVersion
43 | name: version
44 | register: r_cluster_version
45 |
46 | - name: '[POSTINSTALL][INFRA-NODES] Set ocp4_workload_machinesets_cluster_version fact'
47 | set_fact:
48 | ocp4_workload_machinesets_cluster_version: "{{ r_cluster_version.resources[0].status.history[0].version }}"
49 |
50 | # The Machine Config Daemon DaemonSet does not include
51 | # Universal Tolerations. So by adding taints to Infra
52 | # (and Elasticsearch) nodes the Machine Config Daemon
53 | # pods would be removed from those nodes.
54 | # This adds the necessary tolerations.
55 | #
56 | # See https://bugzilla.redhat.com/show_bug.cgi?id=1780318
57 | - name: '[POSTINSTALL][INFRA-NODES] Fix Machine Config and Node CA Daemon Sets (add Tolerations for Infra and Elasticsearch nodes)'
58 | when: ocp4_workload_machinesets_cluster_version is version_compare('4.5', '<')
59 | k8s:
60 | kubeconfig: "{{ kubeconfig }}"
61 | state: present
62 | merge_type:
63 | - merge
64 | definition: "{{ lookup('template', '{{ item }}') }}"
65 | loop:
66 | - ./templates/machine-config-daemonset.j2
67 | - ./templates/node-ca-daemonset.j2
68 |
69 | - name: '[POSTINSTALL][INFRA-NODES] Configure Ingress Controllers and Image Registry'
70 | when: ocp4_workload_machinesets_cluster_version is version_compare('4.5', '<')
71 | k8s:
72 | kubeconfig: "{{ kubeconfig }}"
73 | state: present
74 | merge_type:
75 | - merge
76 | definition: "{{ lookup('template', '{{ item }}') }}"
77 | loop:
78 | - ./templates/ingress-controller.j2
79 | - ./templates/image-registry.j2
80 |
--------------------------------------------------------------------------------
/roles/ocp4-post-infra-nodes/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - import_tasks: infra-nodes.yml
4 |
5 | - import_tasks: elk-nodes.yml
6 | when: elk_nodes | bool
7 |
8 |
--------------------------------------------------------------------------------
/roles/ocp4-post-infra-nodes/templates/image-registry.j2:
--------------------------------------------------------------------------------
1 | apiVersion: imageregistry.operator.openshift.io/v1
2 | kind: Config
3 | metadata:
4 | name: cluster
5 | spec:
6 | nodeSelector:
7 | "node-role.kubernetes.io/infra": ""
8 | tolerations:
9 | - effect: NoSchedule
10 | key: infra
11 | value: reserved
12 | - effect: NoExecute
13 | key: infra
14 | value: reserved
15 |
--------------------------------------------------------------------------------
/roles/ocp4-post-infra-nodes/templates/ingress-controller.j2:
--------------------------------------------------------------------------------
1 | apiVersion: operator.openshift.io/v1
2 | kind: IngressController
3 | metadata:
4 | name: default
5 | namespace: openshift-ingress-operator
6 | spec:
7 | replicas: 3
8 | nodePlacement:
9 | nodeSelector:
10 | matchLabels:
11 | node-role.kubernetes.io/infra: ""
12 | tolerations:
13 | - effect: NoSchedule
14 | key: infra
15 | value: reserved
16 | - effect: NoExecute
17 | key: infra
18 | value: reserved
19 |
--------------------------------------------------------------------------------
/roles/ocp4-post-infra-nodes/templates/machine-config-daemonset.j2:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: DaemonSet
3 | metadata:
4 | name: machine-config-daemon
5 | namespace: openshift-machine-config-operator
6 | spec:
7 | template:
8 | spec:
9 | tolerations:
10 | - effect: NoSchedule
11 | key: node-role.kubernetes.io/master
12 | operator: Exists
13 | - effect: NoSchedule
14 | key: node-role.kubernetes.io/etcd
15 | operator: Exists
16 | - effect: NoSchedule
17 | key: infra
18 | value: reserved
19 | - effect: NoExecute
20 | key: infra
21 | value: reserved
22 | {% if elk_nodes | bool %}
23 | - effect: NoSchedule
24 | key: elasticsearch
25 | value: reserved
26 | - effect: NoExecute
27 | key: elasticsearch
28 | value: reserved
29 | {% endif %}
30 |
--------------------------------------------------------------------------------
/roles/ocp4-post-infra-nodes/templates/machineset.j2:
--------------------------------------------------------------------------------
1 | apiVersion: machine.openshift.io/v1beta1
2 | kind: MachineSet
3 | metadata:
4 | labels:
5 | machine.openshift.io/cluster-api-cluster: {{ machineset.infrastructure_id }}
6 | name: {{ machineset.infrastructure_id }}-{{ machineset.name_identifier }}-{{ machineset.region }}{{ zone_suffix }}
7 | namespace: openshift-machine-api
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | machine.openshift.io/cluster-api-cluster: {{ machineset.infrastructure_id }}
13 | machine.openshift.io/cluster-api-machineset: {{ machineset.infrastructure_id }}-{{ machineset.node_labels.0 }}-{{ machineset.region }}{{ zone_suffix }}
14 | template:
15 | metadata:
16 | labels:
17 | machine.openshift.io/cluster-api-cluster: {{ machineset.infrastructure_id }}
18 | machine.openshift.io/cluster-api-machine-role: {{ machineset.node_labels.0 }}
19 | machine.openshift.io/cluster-api-machine-type: {{ machineset.node_labels.0 }}
20 | machine.openshift.io/cluster-api-machineset: {{ machineset.infrastructure_id }}-{{ machineset.node_labels.0 }}-{{ machineset.region }}{{ zone_suffix }}
21 | spec:
22 | metadata:
23 | labels:
24 | {% for label in machineset.node_labels %}
25 | node-role.kubernetes.io/{{ label }}: ""
26 | {% endfor %}
27 | providerSpec:
28 | value:
29 | ami:
30 | id: {{ machineset.aws_ami }}
31 | apiVersion: awsproviderconfig.openshift.io/v1beta1
32 | blockDevices:
33 | - ebs:
34 | iops: 0
35 | volumeSize: {{ machineset.disk_size }}
36 | volumeType: gp2
37 | credentialsSecret:
38 | name: aws-cloud-credentials
39 | deviceIndex: 0
40 | iamInstanceProfile:
41 | id: {{ machineset.infrastructure_id }}-worker-profile
42 | instanceType: {{ machineset.instance_type }}
43 | kind: AWSMachineProviderConfig
44 | placement:
45 | availabilityZone: {{ machineset.region }}a
46 | region: {{ machineset.region }}
47 | securityGroups:
48 | - filters:
49 | - name: tag:Name
50 | values:
51 | - {{ machineset.infrastructure_id }}-worker-sg
52 | subnet:
53 | filters:
54 | - name: tag:Name
55 | values:
56 | - {{ machineset.infrastructure_id }}-private-{{ machineset.region }}a
57 | tags:
58 | - name: kubernetes.io/cluster/{{ machineset.infrastructure_id }}
59 | value: owned
60 | userDataSecret:
61 | name: worker-user-data
62 |
--------------------------------------------------------------------------------
/roles/ocp4-post-infra-nodes/templates/node-ca-daemonset.j2:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: DaemonSet
3 | metadata:
4 | name: node-ca
5 | namespace: openshift-image-registry
6 | spec:
7 | template:
8 | spec:
9 | tolerations:
10 | - effect: NoSchedule
11 | key: node-role.kubernetes.io/master
12 | operator: Exists
13 | - effect: NoSchedule
14 | key: node-role.kubernetes.io/etcd
15 | operator: Exists
16 | - effect: NoSchedule
17 | key: infra
18 | value: reserved
19 | - effect: NoExecute
20 | key: infra
21 | value: reserved
22 | {% if elk_nodes | bool %}
23 | - effect: NoSchedule
24 | key: elasticsearch
25 | value: reserved
26 | - effect: NoExecute
27 | key: elasticsearch
28 | value: reserved
29 | {% endif %}
30 |
--------------------------------------------------------------------------------
/roles/ocp4-post-infra-nodes/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # vars file for ocp4-post-infra-nodes
--------------------------------------------------------------------------------
/roles/ocp4-post-logging/.travis.yml:
--------------------------------------------------------------------------------
1 | ---
2 | language: python
3 | python: "2.7"
4 |
5 | # Use the new container infrastructure
6 | sudo: false
7 |
8 | # Install ansible
9 | addons:
10 | apt:
11 | packages:
12 | - python-pip
13 |
14 | install:
15 | # Install ansible
16 | - pip install ansible
17 |
18 | # Check ansible version
19 | - ansible --version
20 |
21 | # Create ansible.cfg with correct roles_path
22 | - printf '[defaults]\nroles_path=../' >ansible.cfg
23 |
24 | script:
25 | # Basic role syntax check
26 | - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
27 |
28 | notifications:
29 | webhooks: https://galaxy.ansible.com/api/v1/notifications/
--------------------------------------------------------------------------------
/roles/ocp4-post-logging/README.md:
--------------------------------------------------------------------------------
1 | Role Name
2 | =========
3 |
4 | A brief description of the role goes here.
5 |
6 | Requirements
7 | ------------
8 |
9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
10 |
11 | Role Variables
12 | --------------
13 |
14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
15 |
16 | Dependencies
17 | ------------
18 |
19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
20 |
21 | Example Playbook
22 | ----------------
23 |
24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
25 |
26 | - hosts: servers
27 | roles:
28 | - { role: username.rolename, x: 42 }
29 |
30 | License
31 | -------
32 |
33 | BSD
34 |
35 | Author Information
36 | ------------------
37 |
38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed).
39 |
--------------------------------------------------------------------------------
/roles/ocp4-post-logging/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # defaults file for ocp4-post-logging
3 | # Node selector for the clo elements ('node-role.kubernetes.io/infra= ')
4 | clo_node_selector: "node-role.kubernetes.io/infra="
5 |
--------------------------------------------------------------------------------
/roles/ocp4-post-logging/files/clo-og.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: operators.coreos.com/v1
2 | kind: OperatorGroup
3 | metadata:
4 | annotations:
5 | olm.providedAPIs: ClusterLogging.v1.logging.openshift.io
6 | name: openshift-logging-abab
7 | namespace: openshift-logging
8 | spec:
9 | targetNamespaces:
10 | - openshift-logging
11 |
--------------------------------------------------------------------------------
/roles/ocp4-post-logging/files/eo-og.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: operators.coreos.com/v1
2 | kind: OperatorGroup
3 | metadata:
4 | name: openshift-operators-redhat
5 | namespace: openshift-operators-redhat
6 | spec: {}
7 |
--------------------------------------------------------------------------------
/roles/ocp4-post-logging/files/eo-rbac.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: rbac.authorization.k8s.io/v1
2 | kind: Role
3 | metadata:
4 | name: prometheus-k8s
5 | namespace: openshift-operators-redhat
6 | rules:
7 | - apiGroups:
8 | - ""
9 | resources:
10 | - services
11 | - endpoints
12 | - pods
13 | verbs:
14 | - get
15 | - list
16 | - watch
17 | ---
18 | apiVersion: rbac.authorization.k8s.io/v1
19 | kind: RoleBinding
20 | metadata:
21 | name: prometheus-k8s
22 | namespace: openshift-operators-redhat
23 | roleRef:
24 | apiGroup: rbac.authorization.k8s.io
25 | kind: Role
26 | name: prometheus-k8s
27 | subjects:
28 | - kind: ServiceAccount
29 | name: prometheus-k8s
30 | namespace: openshift-operators-redhat
31 |
--------------------------------------------------------------------------------
/roles/ocp4-post-logging/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # handlers file for ocp4-post-logging
--------------------------------------------------------------------------------
/roles/ocp4-post-logging/meta/main.yml:
--------------------------------------------------------------------------------
1 | galaxy_info:
2 | author: your name
3 | description: your role description
4 | company: your company (optional)
5 |
6 | # If the issue tracker for your role is not on github, uncomment the
7 | # next line and provide a value
8 | # issue_tracker_url: http://example.com/issue/tracker
9 |
10 | # Choose a valid license ID from https://spdx.org - some suggested licenses:
11 | # - BSD-3-Clause (default)
12 | # - MIT
13 | # - GPL-2.0-or-later
14 | # - GPL-3.0-only
15 | # - Apache-2.0
16 | # - CC-BY-4.0
17 | license: license (GPL-2.0-or-later, MIT, etc)
18 |
19 | min_ansible_version: 2.9
20 |
21 | # If this a Container Enabled role, provide the minimum Ansible Container version.
22 | # min_ansible_container_version:
23 |
24 | #
25 | # Provide a list of supported platforms, and for each platform a list of versions.
26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'.
27 | # To view available platforms and versions (or releases), visit:
28 | # https://galaxy.ansible.com/api/v1/platforms/
29 | #
30 | # platforms:
31 | # - name: Fedora
32 | # versions:
33 | # - all
34 | # - 25
35 | # - name: SomePlatform
36 | # versions:
37 | # - all
38 | # - 1.0
39 | # - 7
40 | # - 99.99
41 |
42 | galaxy_tags: []
43 | # List tags for your role here, one per line. A tag is a keyword that describes
44 | # and categorizes the role. Users find roles by searching for tags. Be sure to
45 | # remove the '[]' above, if you add tags to this list.
46 | #
47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
48 | # Maximum 20 tags per role.
49 |
50 | dependencies: []
51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above,
52 | # if you add dependencies to this list.
53 |
--------------------------------------------------------------------------------
/roles/ocp4-post-logging/tasks/configuration.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: '[POSTINSTALL][LOGGING] Wait for operator to be ready'
4 | pause:
5 | seconds: 60
6 |
7 | - name: '[POSTINSTALL][LOGGING] Setup Logging configuration'
8 | k8s:
9 | kubeconfig: "{{ kubeconfig }}"
10 | state: present
11 | definition: "{{ lookup('template', 'logging-crd.yaml') }}"
12 |
--------------------------------------------------------------------------------
/roles/ocp4-post-logging/tasks/installation.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | #https://docs.openshift.com/container-platform/4.5/operators/olm-adding-operators-to-cluster.html#olm-installing-operator-from-operatorhub-using-cli_olm-adding-operators-to-a-cluster
4 |
5 | - name: '[POSTINSTALL][LOGGING] Create Namespaces'
6 | k8s:
7 | kubeconfig: "{{ kubeconfig }}"
8 | state: present
9 | definition: "{{ lookup('template', item) }}"
10 | with_items:
11 | - eo-namespace.yaml
12 | - clo-namespace.yaml
13 |
14 | ### ElasticSearch Operator
15 |
16 | # An OperatorGroup is an OLM resource that selects target namespaces in which to generate required
17 | # RBAC access for all Operators in the same namespace as the OperatorGroup
18 | # The namespace to which you subscribe the Operator must have an OperatorGroup that matches the
19 | # Operator’s InstallMode
20 | - name: '[POSTINSTALL][LOGGING] Create Operator Group'
21 | k8s:
22 | kubeconfig: "{{ kubeconfig }}"
23 | state: present
24 | definition: "{{ lookup('file', 'eo-og.yaml') }}"
25 |
26 | # PackageManifest holds information about a package, which is a reference to
27 | # one (or more) channels under a single package.
28 | - name: '[POSTINSTALL][LOGGING] Get available ES channels'
29 | k8s_info:
30 | kubeconfig: "{{ kubeconfig }}"
31 | name: "elasticsearch-operator"
32 | kind: "PackageManifest"
33 | namespace: "openshift-marketplace"
34 | register: es_manifest
35 | when: es_channel is not defined
36 |
37 | # Grab the ES Channel if is not defined in vars.yml
38 | - name: '[POSTINSTALL][LOGGING] Set local var'
39 | set_fact:
40 | es_channel: "{{ es_manifest.resources[0].status.defaultChannel }}"
41 | when: es_channel is not defined
42 |
43 | #- name: Subscribing on channel {{ es_channel }}
44 | # K8s module does not handle generateName correctly, so we use oc client
45 | # k8s:
46 | # kubeconfig: "{{ kubeconfig }}"
47 | # state: present
48 | # definition: "{{ lookup('template', 'eo-sub.yaml') }}"
49 |
50 | - name: '[POSTINSTALL][LOGGING] Create file'
51 | template:
52 | src: eo-sub.yaml
53 | dest: /tmp/eo-sub.yaml
54 | mode: '0600'
55 |
56 | - name: '[POSTINSTALL][LOGGING] Subscribing ES on channel {{ es_channel }}'
57 | shell:
58 | cmd: KUBECONFIG={{ kubeconfig }} {{ user_path }}/oc create -f /tmp/eo-sub.yaml
59 |
60 | - name: '[POSTINSTALL][LOGGING] Create RBAC'
61 | k8s:
62 | kubeconfig: "{{ kubeconfig }}"
63 | state: present
64 | definition: "{{ lookup('file', 'eo-rbac.yaml') }}"
65 |
66 |
67 | ### ClusterLogging Operator
68 | - name: '[POSTINSTALL][LOGGING] Create CLO-OperatorGroup'
69 | k8s:
70 | kubeconfig: "{{ kubeconfig }}"
71 | state: present
72 | definition: "{{ lookup('file', 'clo-og.yaml') }}"
73 |
74 | # Grab the CLO Channel if is not defined in vars.yml
75 | - name: '[POSTINSTALL][LOGGING] Get available CLO channels'
76 | k8s_info:
77 | kubeconfig: "{{ kubeconfig }}"
78 | name: "cluster-logging"
79 | kind: "PackageManifest"
80 | namespace: "openshift-marketplace"
81 | register: clo_manifest
82 | when: clo_channel is not defined
83 |
84 | - name: '[POSTINSTALL][LOGGING] Set local var'
85 | set_fact:
86 | clo_channel: "{{ clo_manifest.resources[0].status.defaultChannel }}"
87 | when: clo_channel is not defined
88 |
89 | - name: '[POSTINSTALL][LOGGING] Create CLO-Subscription on channel {{ clo_channel }}'
90 | k8s:
91 | kubeconfig: "{{ kubeconfig }}"
92 | state: present
93 | definition: "{{ lookup('template', 'clo-sub.yaml') }}"
94 |
--------------------------------------------------------------------------------
/roles/ocp4-post-logging/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - import_tasks: installation.yml
4 | - import_tasks: configuration.yml
5 |
--------------------------------------------------------------------------------
/roles/ocp4-post-logging/templates/clo-namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: openshift-logging
5 | annotations:
6 | {%if clo_node_selector is defined %}
7 | openshift.io/node-selector: "{{ clo_node_selector }}"
8 | {% endif %}
9 | labels:
10 | openshift.io/cluster-logging: "true"
11 | openshift.io/cluster-monitoring: "true"
12 |
--------------------------------------------------------------------------------
/roles/ocp4-post-logging/templates/clo-sub.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: operators.coreos.com/v1alpha1
2 | kind: Subscription
3 | metadata:
4 | name: cluster-logging
5 | namespace: openshift-logging
6 | spec:
7 | channel: "{{ clo_channel }}"
8 | name: cluster-logging
9 | installPlanApproval: "Automatic"
10 | source: redhat-operators
11 | sourceNamespace: openshift-marketplace
12 |
--------------------------------------------------------------------------------
/roles/ocp4-post-logging/templates/eo-namespace.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: openshift-operators-redhat
5 | {%if clo_node_selector is defined %}
6 | annotations:
7 | openshift.io/node-selector: "{{ clo_node_selector }}"
8 | {% endif %}
9 | labels:
10 | openshift.io/cluster-logging: "true"
11 | openshift.io/cluster-monitoring: "true"
12 |
--------------------------------------------------------------------------------
/roles/ocp4-post-logging/templates/eo-sub.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: operators.coreos.com/v1alpha1
2 | kind: Subscription
3 | metadata:
4 | generateName: "elasticsearch-"
5 | namespace: "openshift-operators-redhat"
6 | spec:
7 | channel: "{{ es_channel | quote }}"
8 | installPlanApproval: "Automatic"
9 | source: "redhat-operators"
10 | sourceNamespace: "openshift-marketplace"
11 | name: "elasticsearch-operator"
12 |
--------------------------------------------------------------------------------
/roles/ocp4-post-logging/templates/logging-crd.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: "logging.openshift.io/v1"
2 | kind: "ClusterLogging"
3 | metadata:
4 | name: "instance"
5 | namespace: "openshift-logging"
6 | spec:
7 | managementState: "Managed"
8 | logStore:
9 | type: "elasticsearch"
10 | elasticsearch:
11 | nodeCount: 2
12 | storage:
13 | storageClassName: gp2
14 | size: 200G
15 | redundancyPolicy: "SingleRedundancy"
16 | resources:
17 | limits:
18 | cpu: "3000m"
19 | memory: "4Gi"
20 | requests:
21 | cpu: "1000m"
22 | memory: "1Gi"
23 | visualization:
24 | type: "kibana"
25 | kibana:
26 | replicas: 1
27 | curation:
28 | type: "curator"
29 | curator:
30 | schedule: "30 3 * * *"
31 | collection:
32 | logs:
33 | type: "fluentd"
34 | fluentd: {}
35 |
--------------------------------------------------------------------------------
/roles/ocp4-post-logging/tests/inventory:
--------------------------------------------------------------------------------
1 | localhost
2 |
3 |
--------------------------------------------------------------------------------
/roles/ocp4-post-logging/tests/test.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: localhost
3 | remote_user: root
4 | roles:
5 | - ocp4-post-logging
--------------------------------------------------------------------------------
/roles/ocp4-post-logging/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # vars file for ocp4-post-logging
--------------------------------------------------------------------------------
/roles/ocp4-post-machinesets/README.md:
--------------------------------------------------------------------------------
1 | Role Name
2 | =========
3 |
4 | A brief description of the role goes here.
5 |
6 | Requirements
7 | ------------
8 |
9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
10 |
11 | Role Variables
12 | --------------
13 |
14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
15 |
16 | Dependencies
17 | ------------
18 |
19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
20 |
21 | Example Playbook
22 | ----------------
23 |
24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
25 |
26 | - hosts: servers
27 | roles:
28 | - { role: username.rolename, x: 42 }
29 |
30 | License
31 | -------
32 |
33 | BSD
34 |
35 | Author Information
36 | ------------------
37 |
38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed).
39 |
--------------------------------------------------------------------------------
/roles/ocp4-post-machinesets/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # defaults file for ocp4-post-machinesets
3 | zone_suffixes:
4 | - a
5 | - b
6 | - c
7 |
--------------------------------------------------------------------------------
/roles/ocp4-post-machinesets/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # handlers file for ocp4-post-machinesets
--------------------------------------------------------------------------------
/roles/ocp4-post-machinesets/meta/main.yml:
--------------------------------------------------------------------------------
1 | galaxy_info:
2 | author: your name
3 | description: your role description
4 | company: your company (optional)
5 |
6 | # If the issue tracker for your role is not on github, uncomment the
7 | # next line and provide a value
8 | # issue_tracker_url: http://example.com/issue/tracker
9 |
10 | # Choose a valid license ID from https://spdx.org - some suggested licenses:
11 | # - BSD-3-Clause (default)
12 | # - MIT
13 | # - GPL-2.0-or-later
14 | # - GPL-3.0-only
15 | # - Apache-2.0
16 | # - CC-BY-4.0
17 | license: license (GPL-2.0-or-later, MIT, etc)
18 |
19 | min_ansible_version: 2.9
20 |
21 | # If this a Container Enabled role, provide the minimum Ansible Container version.
22 | # min_ansible_container_version:
23 |
24 | #
25 | # Provide a list of supported platforms, and for each platform a list of versions.
26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'.
27 | # To view available platforms and versions (or releases), visit:
28 | # https://galaxy.ansible.com/api/v1/platforms/
29 | #
30 | # platforms:
31 | # - name: Fedora
32 | # versions:
33 | # - all
34 | # - 25
35 | # - name: SomePlatform
36 | # versions:
37 | # - all
38 | # - 1.0
39 | # - 7
40 | # - 99.99
41 |
42 | galaxy_tags: []
43 | # List tags for your role here, one per line. A tag is a keyword that describes
44 | # and categorizes the role. Users find roles by searching for tags. Be sure to
45 | # remove the '[]' above, if you add tags to this list.
46 | #
47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
48 | # Maximum 20 tags per role.
49 |
50 | dependencies: []
51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above,
52 | # if you add dependencies to this list.
53 |
--------------------------------------------------------------------------------
/roles/ocp4-post-machinesets/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: '[OCP4-POSTINSTALL][MACHINESET] Fetch cluster information about the Infrastructure'
4 | k8s_info:
5 | kubeconfig: "{{ kubeconfig }}"
6 | api_version: config.openshift.io/v1
7 | kind: Infrastructure
8 | name: cluster
9 | register: cluster_info
10 |
11 | - name: '[POSTINSTALL][MACHINESET] Show info about the cluster of OCP4'
12 | debug:
13 | msg: "{{ cluster_info }}"
14 |
15 | - name: '[POSTINSTALL][MACHINESET] Search and fetch ami id in {{ cluster_info.resources.0.status.infrastructureName }}-master-0 machine'
16 | k8s_info:
17 | kubeconfig: "{{ kubeconfig }}"
18 | api_version: machine.openshift.io/v1beta1
19 | kind: Machine
20 | name: "{{ cluster_info.resources.0.status.infrastructureName }}-master-0"
21 | namespace: openshift-machine-api
22 | register: amimaster0
23 |
24 | - name: '[POSTINSTALL][MACHINESET] Build the {{ node_labels }} machineset facts'
25 | set_fact:
26 | machineset:
27 | infrastructure_id: "{{ cluster_info.resources.0.status.infrastructureName }}"
28 | region: "{{ cluster_info.resources.0.status.platformStatus.aws.region }}"
29 | node_labels: "{{ node_labels }}"
30 | zone_suffixes: "{{ zone_suffixes }}"
31 | aws_ami: "{{ amimaster0.resources.0.spec.providerSpec.value.ami.id }}"
32 | disk_size: "{{ disk_size }}"
33 | instance_type: "{{ instance_type }}"
34 | name_identifier: "{{ name_identifier }}"
35 |
36 | - name: '[POSTINSTALL][MACHINESET] Display the data for the {{ node_labels }} machinesets'
37 | debug:
38 | var: machineset
39 |
40 | - name: '[POSTINSTALL][MACHINESET] Create the {{ node_labels }} machineset'
41 | k8s:
42 | kubeconfig: "{{ kubeconfig }}"
43 | name: openshift-machine-api
44 | api_version: machine.openshift.io/v1beta1
45 | kind: MachineSet
46 | state: present
47 | resource_definition: "{{ lookup('template', 'templates/machineset.j2') }}"
48 | validate_certs: false
49 | loop: "{{ zone_suffixes }}"
50 | loop_control:
51 | loop_var: zone_suffix
52 |
--------------------------------------------------------------------------------
/roles/ocp4-post-machinesets/templates/machineset.j2:
--------------------------------------------------------------------------------
1 | apiVersion: machine.openshift.io/v1beta1
2 | kind: MachineSet
3 | metadata:
4 | labels:
5 | machine.openshift.io/cluster-api-cluster: {{ machineset.infrastructure_id }}
6 | name: {{ machineset.infrastructure_id }}-{{ machineset.name_identifier }}-{{ machineset.region }}{{ zone_suffix }}
7 | namespace: openshift-machine-api
8 | spec:
9 | replicas: 1
10 | selector:
11 | matchLabels:
12 | machine.openshift.io/cluster-api-cluster: {{ machineset.infrastructure_id }}
13 | machine.openshift.io/cluster-api-machineset: {{ machineset.infrastructure_id }}-{{ machineset.node_labels.0 }}-{{ machineset.region }}{{ zone_suffix }}
14 | template:
15 | metadata:
16 | labels:
17 | machine.openshift.io/cluster-api-cluster: {{ machineset.infrastructure_id }}
18 | machine.openshift.io/cluster-api-machine-role: {{ machineset.node_labels.0 }}
19 | machine.openshift.io/cluster-api-machine-type: {{ machineset.node_labels.0 }}
20 | machine.openshift.io/cluster-api-machineset: {{ machineset.infrastructure_id }}-{{ machineset.node_labels.0 }}-{{ machineset.region }}{{ zone_suffix }}
21 | spec:
22 | metadata:
23 | labels:
24 | {% for label in machineset.node_labels %}
25 | node-role.kubernetes.io/{{ label }}: ""
26 | {% if ceph_namespace is defined %}
27 | cluster.ocs.openshift.io/openshift-storage: ""
28 | {% endif %}
29 | {% endfor %}
30 | providerSpec:
31 | value:
32 | ami:
33 | id: {{ machineset.aws_ami }}
34 | apiVersion: awsproviderconfig.openshift.io/v1beta1
35 | blockDevices:
36 | - ebs:
37 | iops: 0
38 | volumeSize: {{ machineset.disk_size }}
39 | volumeType: gp2
40 | credentialsSecret:
41 | name: aws-cloud-credentials
42 | deviceIndex: 0
43 | iamInstanceProfile:
44 | id: {{ machineset.infrastructure_id }}-worker-profile
45 | instanceType: {{ machineset.instance_type }}
46 | kind: AWSMachineProviderConfig
47 | placement:
48 | availabilityZone: {{ machineset.region }}a
49 | region: {{ machineset.region }}
50 | securityGroups:
51 | - filters:
52 | - name: tag:Name
53 | values:
54 | - {{ machineset.infrastructure_id }}-worker-sg
55 | subnet:
56 | filters:
57 | - name: tag:Name
58 | values:
59 | - {{ machineset.infrastructure_id }}-private-{{ machineset.region }}a
60 | tags:
61 | - name: kubernetes.io/cluster/{{ machineset.infrastructure_id }}
62 | value: owned
63 | userDataSecret:
64 | name: worker-user-data
65 | {% if ceph_namespace is defined %}
66 | taints:
67 | - effect: NoSchedule
68 | key: node.ocs.openshift.io/storage
69 | value: 'true'
70 | {% endif %}
71 |
--------------------------------------------------------------------------------
/roles/ocp4-post-machinesets/tests/inventory:
--------------------------------------------------------------------------------
1 | localhost
2 |
3 |
--------------------------------------------------------------------------------
/roles/ocp4-post-machinesets/tests/test.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: localhost
3 | remote_user: root
4 | roles:
5 | - ocp4-post-machinesets
--------------------------------------------------------------------------------
/roles/ocp4-post-machinesets/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # vars file for ocp4-post-machinesets
3 | name_identifier: "{{ name_label.0 }}"
4 |
--------------------------------------------------------------------------------
/roles/ocp4-post-monitoring/README.md:
--------------------------------------------------------------------------------
1 | Role Name
2 | =========
3 |
4 | A brief description of the role goes here.
5 |
6 | Requirements
7 | ------------
8 |
9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
10 |
11 | Role Variables
12 | --------------
13 |
14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
15 |
16 | Dependencies
17 | ------------
18 |
19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
20 |
21 | Example Playbook
22 | ----------------
23 |
24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
25 |
26 | - hosts: servers
27 | roles:
28 | - { role: username.rolename, x: 42 }
29 |
30 | License
31 | -------
32 |
33 | BSD
34 |
35 | Author Information
36 | ------------------
37 |
38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed).
39 |
--------------------------------------------------------------------------------
/roles/ocp4-post-monitoring/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # defaults file for ocp4-post-monitoring
--------------------------------------------------------------------------------
/roles/ocp4-post-monitoring/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # handlers file for ocp4-post-monitoring
--------------------------------------------------------------------------------
/roles/ocp4-post-monitoring/meta/main.yml:
--------------------------------------------------------------------------------
1 | galaxy_info:
2 | author: your name
3 | description: your role description
4 | company: your company (optional)
5 |
6 | # If the issue tracker for your role is not on github, uncomment the
7 | # next line and provide a value
8 | # issue_tracker_url: http://example.com/issue/tracker
9 |
10 | # Choose a valid license ID from https://spdx.org - some suggested licenses:
11 | # - BSD-3-Clause (default)
12 | # - MIT
13 | # - GPL-2.0-or-later
14 | # - GPL-3.0-only
15 | # - Apache-2.0
16 | # - CC-BY-4.0
17 | license: license (GPL-2.0-or-later, MIT, etc)
18 |
19 | min_ansible_version: 2.9
20 |
21 | # If this a Container Enabled role, provide the minimum Ansible Container version.
22 | # min_ansible_container_version:
23 |
24 | #
25 | # Provide a list of supported platforms, and for each platform a list of versions.
26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'.
27 | # To view available platforms and versions (or releases), visit:
28 | # https://galaxy.ansible.com/api/v1/platforms/
29 | #
30 | # platforms:
31 | # - name: Fedora
32 | # versions:
33 | # - all
34 | # - 25
35 | # - name: SomePlatform
36 | # versions:
37 | # - all
38 | # - 1.0
39 | # - 7
40 | # - 99.99
41 |
42 | galaxy_tags: []
43 | # List tags for your role here, one per line. A tag is a keyword that describes
44 | # and categorizes the role. Users find roles by searching for tags. Be sure to
45 | # remove the '[]' above, if you add tags to this list.
46 | #
47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
48 | # Maximum 20 tags per role.
49 |
50 | dependencies: []
51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above,
52 | # if you add dependencies to this list.
53 |
--------------------------------------------------------------------------------
/roles/ocp4-post-monitoring/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | # TODO: Review the tolerations for the infra / elk nodes
4 | - name: '[POSTINSTALL][MONITORING] Apply cluster-monitoring-config config map'
5 | k8s:
6 | kubeconfig: "{{ kubeconfig }}"
7 | state: present
8 | merge_type:
9 | - strategic-merge
10 | - merge
11 | definition: "{{ lookup('template', 'cluster-monitoring-config.yml') }}"
12 |
13 |
--------------------------------------------------------------------------------
/roles/ocp4-post-monitoring/templates/cluster-monitoring-config.yml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: cluster-monitoring-config
5 | namespace: openshift-monitoring
6 | data:
7 | config.yaml: |
8 | prometheusK8s:
9 | nodeSelector:
10 | node-role.kubernetes.io/infra: ""
11 | retention: "{{ prom_retention }}"
12 | volumeClaimTemplate:
13 | metadata:
14 | name: prometheusdb
15 | spec:
16 | resources:
17 | requests:
18 | storage: "{{ prometheus_gp2_storage }}"
19 | alertmanagerMain:
20 | nodeSelector:
21 | node-role.kubernetes.io/infra: ""
22 | volumeClaimTemplate:
23 | metadata:
24 | name: alertmanpvc
25 | spec:
26 | resources:
27 | requests:
28 | storage: "{{ alertmanager_gp2_storage }}"
29 | prometheusOperator:
30 | nodeSelector:
31 | node-role.kubernetes.io/infra: ""
32 | kubeStateMetrics:
33 | nodeSelector:
34 | node-role.kubernetes.io/infra: ""
35 | grafana:
36 | nodeSelector:
37 | node-role.kubernetes.io/infra: ""
38 | telemeterClient:
39 | nodeSelector:
40 | node-role.kubernetes.io/infra: ""
41 | k8sPrometheusAdapter:
42 | nodeSelector:
43 | node-role.kubernetes.io/infra: ""
44 |
--------------------------------------------------------------------------------
/roles/ocp4-post-monitoring/tests/inventory:
--------------------------------------------------------------------------------
1 | localhost
2 |
3 |
--------------------------------------------------------------------------------
/roles/ocp4-post-monitoring/tests/test.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: localhost
3 | remote_user: root
4 | roles:
5 | - ocp4-post-monitoring
--------------------------------------------------------------------------------
/roles/ocp4-post-monitoring/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # vars file for ocp4-post-monitoring
3 |
4 |
--------------------------------------------------------------------------------
/roles/ocp4-post-oauth/README.md:
--------------------------------------------------------------------------------
1 | # Authentication
2 |
3 | ## References
4 |
5 | - https://docs.openshift.com/container-platform/4.3/authentication/identity_providers/configuring-ldap-identity-provider.html
6 | - https://docs.openshift.com/container-platform/4.3/authentication/ldap-syncing.html
7 | - https://github.com/redhat-cop/openshift-management/blob/master/jobs/cronjob-ldap-group-sync.yml
8 |
--------------------------------------------------------------------------------
/roles/ocp4-post-oauth/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | # LDAP settings
4 | # -----------------
5 | ocp4_idm_admin_user: opentlc-mgr
6 |
7 | # LDAP settings
8 | ocp4_idm_ldap_url: ldaps://ipa1.opentlc.com:636/cn=users,cn=accounts,dc=opentlc,dc=com?uid
9 | ocp4_idm_ldap_ca_url: http://ipa.opentlc.com/ipa/config/ca.crt
10 | ocp4_idm_ldap_bind_dn: "uid=ose-mwl-auth,cn=users,cn=accounts,dc=opentlc,dc=com"
11 |
12 | # htpasswd settings
13 | # -----------------
14 |
15 | # Base of the users for htpasswd
16 | ocp4_idm_htpasswd_user_base: user
17 | ocp4_idm_htpasswd_user_count: 20
18 |
19 | # Set a password for the Admin User
20 | ocp4_idm_htpasswd_admin_password: hashmeinvault
21 |
22 | # Set a password for all htpasswd users
23 | ocp4_idm_htpasswd_user_password: hashmeinvault
24 |
25 | # Azure AD settings
26 | # -----------------
27 |
28 | #Tobefilled: hash
29 |
30 | # Google OAuth settings
31 | # -----------------
32 |
33 | #Tobefilled: hash
34 |
35 | # GitLab OAuth settings
36 | # -----------------
37 |
38 | #Tobefilled: hash
39 |
--------------------------------------------------------------------------------
/roles/ocp4-post-oauth/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | # Do not modify this file
4 | - debug:
5 | var: action
6 |
7 | - block:
8 | - import_tasks: oauth-htpasswd.yml
9 | when: oauth == "htpasswd"
10 |
11 | # (WIP)
12 | #- block:
13 | # - import_tasks: oauth-ldap.yml
14 | # when: oauth == "ldap"
15 | #
16 | #- block:
17 | # - import_tasks: oauth-azuread.yml
18 | # when: oauth == "azuread"
19 | #
20 | #- block:
21 | # - import_tasks: oauth-azuread.yml
22 | # when: oauth == "google"
23 | #
24 | #- block:
25 | # - import_tasks: oauth-azuread.yml
26 | # when: oauth == "github"
27 | #
28 | - block:
29 | - import_tasks: remove-kubeadmin.yml
30 | when: ocp4_remove_kubeadmin | bool
31 |
32 | - block:
33 | - import_tasks: remove-self-provisioner.yml
34 | when: removeselfprovisioning | bool
35 |
--------------------------------------------------------------------------------
/roles/ocp4-post-oauth/tasks/oauth-azuread.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # TODO
3 | # https://access.redhat.com/solutions/2465011
4 |
5 |
--------------------------------------------------------------------------------
/roles/ocp4-post-oauth/tasks/oauth-google.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: '[OCP4-POST-OAUTH][OCP4-GOOGLEAUTH] Ensure Google OAuth Secret'
4 | k8s:
5 | state: absent
6 | api_version: v1
7 | kind: Secret
8 | name: google-openid-client-secret
9 | namespace: openshift-config
10 |
11 | - name: '[OCP4-POST-OAUTH][OCP4-GOOGLEAUTH] Update Google OAuth Secret Configuration'
12 | k8s:
13 | state: present
14 | merge_type:
15 | - strategic-merge
16 | - merge
17 | definition: "{{ lookup('template', item ) | from_yaml }}"
18 | loop:
19 | - ./templates/google-openid-client-secret.j2
20 |
21 | - name: '[OCP4-POST-OAUTH][OCP4-GOOGLEAUTH] Update Google OAuth Configuration'
22 | k8s:
23 | state: present
24 | merge_type:
25 | - strategic-merge
26 | - merge
27 | definition: "{{ lookup('template', item ) | from_yaml }}"
28 | loop:
29 | - ./templates/oauth-google.j2
30 |
--------------------------------------------------------------------------------
/roles/ocp4-post-oauth/tasks/oauth-htpasswd.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | #https://docs.openshift.com/container-platform/4.3/authentication/identity_providers/configuring-htpasswd-identity-provider.html
4 |
5 | - name: '[POST-OAUTH][HTPASSWD] Generate htpasswd hash for developer user'
6 | shell: >-
7 | htpasswd -nb developer "{{ ocp4_htpasswd_dev_password }}"|cut -d: -f2
8 | register: htpasswd_line
9 | when:
10 | - ocp4_htpasswd_dev_password is defined
11 |
12 | - name: '[POST-OAUTH][HTPASSWD] Set fact for developer user password'
13 | set_fact:
14 | ocp4_htpasswd_dev_password: "{{ htpasswd_line.stdout }}"
15 | when:
16 | - ocp4_htpasswd_dev_password is defined
17 | - htpasswd_line is succeeded
18 |
19 | - name: '[POST-OAUTH][HTPASSWD] Generate htpasswd hash for admin user'
20 | shell: >-
21 | htpasswd -nb admin "{{ ocp4_htpasswd_admin_password }}"|cut -d: -f2
22 | register: htpasswd_line
23 | when:
24 | - ocp4_htpasswd_admin_password is defined
25 |
26 | - name: '[POST-OAUTH][HTPASSWD] Set fact admin user password'
27 | set_fact:
28 | ocp4_htpasswd_admin_password: "{{ htpasswd_line.stdout }}"
29 | when:
30 | - ocp4_htpasswd_admin_password is defined
31 | - htpasswd_line is succeeded
32 |
33 | # TODO: '[POST-OAUTH] locate better the htpasswd
34 | - name: '[POST-OAUTH][HTPASSWD] Generate htpasswd file'
35 | template:
36 | src: "htpasswd.j2"
37 | dest: "{{ user_path }}/users.htpasswd"
38 | owner: "{{ ansible_user }}"
39 | mode: 0664
40 |
41 | - name: '[POST-OAUTH][HTPASSWD] Ensure htpasswd Secret is absent'
42 | k8s:
43 | kubeconfig: "{{ kubeconfig }}"
44 | state: absent
45 | api_version: v1
46 | kind: Secret
47 | name: htpasswd-secret
48 | namespace: openshift-config
49 |
50 | - name: '[POST-OAUTH][HTPASSWD] Create htpasswd secret from htpasswd file'
51 | shell: "{{ user_path }}/oc create secret generic htpasswd-secret -n openshift-config --from-file=htpasswd={{ user_path }}/users.htpasswd"
52 | environment:
53 | KUBECONFIG: "{{ user_path }}/auth/kubeconfig"
54 |
55 | - name: '[POST-OAUTH][HTPASSWD] Update OAuth Configuration'
56 | k8s:
57 | kubeconfig: "{{ kubeconfig }}"
58 | state: present
59 | merge_type:
60 | - strategic-merge
61 | - merge
62 | definition: "{{ lookup('template', './templates/oauth-htpasswd.yml') | from_yaml }}"
63 |
64 | #- name: '[POST-OAUTH][HTPASSWD] Create htpasswd secret from htpasswd file'
65 | # shell: "{{ container_dir }}oc adm add-cluster-role-to-user cluster-admin {{ ocp4_idm_admin_user }}"
66 | # environment:
67 | # KUBECONFIG: "{{ user_path }}/auth/kubeconfig"
68 |
69 | - name: '[POST-OAUTH] Set up Cluster Admin User'
70 | when: ocp4_htpasswd_admin_user is defined
71 | k8s:
72 | kubeconfig: "{{ kubeconfig }}"
73 | state: present
74 | merge_type:
75 | - strategic-merge
76 | - merge
77 | definition: "{{ lookup('template', './templates/cluster_role_binding.j2') | from_yaml }}"
78 |
79 | - name: '[POST-OAUTH][HTPASSWD] Print User Information'
80 | debug:
81 | msg: "{{ item }}"
82 | loop:
83 | - "user.info: HTPasswd Authentication is enabled on this cluster."
84 | - "user.info: {{ ocp4_htpasswd_dev_user }} are created."
85 | - "user.info: User `{{ ocp4_htpasswd_admin_user }}` is a cluster-admin"
86 |
87 | # More Info: https://docs.openshift.com/container-platform/4.3/authentication/identity_providers/configuring-basic-authentication-identity-provider.html
88 |
--------------------------------------------------------------------------------
/roles/ocp4-post-oauth/tasks/oauth-ldap.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | #https://docs.openshift.com/container-platform/4.3/authentication/identity_providers/configuring-ldap-identity-provider.html
4 |
5 | - name: '[OCP4-POST-OAUTH][OCP4-LDAP] Check that ocp4_idm_install is defined'
6 | when:
7 | - ocp4_idm_install is not defined
8 | fail:
9 | msg: "ocp4_idm_install is not defined"
10 |
11 | - name: '[OCP4-POST-OAUTH][OCP4-LDAP] Setup OpenTLC LDAP Authentication'
12 | block:
13 | - name: '[OCP4-POST-OAUTH][OCP4-LDAP] Check for LDAP Bind Password'
14 | fail:
15 | msg: LDAP Authentication is configured but LDAP BindPassword (ocp4_idm_ldap_bindPassword) is not defined.
16 | when: ocp4_idm_ldap_bindPassword is not defined
17 |
18 | - name: '[OCP4-POST-OAUTH][OCP4-LDAP] Get IPA CA Cert'
19 | get_url:
20 | url: "{{ ocp4_idm_ldap_ca_url }}"
21 | dest: "{{ user_path }}/ipa-ca.crt"
22 | mode: 0660
23 |
24 | - name: '[OCP4-POST-OAUTH][OCP4-LDAP] Ensure IPA CA Cert is absent'
25 | k8s:
26 | state: absent
27 | api_version: v1
28 | kind: ConfigMap
29 | name: ldap-ca-cert
30 | namespace: openshift-config
31 |
32 | - name: '[OCP4-POST-OAUTH][OCP4-LDAP] Create IPA CA Cert ConfigMap'
33 | shell: "{{ container_dir }}/tools oc create configmap ldap-ca-cert --from-file=ca.crt={{ user_path }}/ipa-ca.crt -n openshift-config"
34 |
35 | - name: '[OCP4-POST-OAUTH][OCP4-LDAP] Ensure LDAP Bind Password Secret is absent'
36 | k8s:
37 | state: absent
38 | api_version: v1
39 | kind: Secret
40 | name: ldap-secret
41 | namespace: openshift-config
42 |
43 | - name: '[OCP4-POST-OAUTH][OCP4-LDAP] Create LDAP Bind Password Secret'
44 | shell: "{{ container_dir }}/tools oc create secret generic ldap-secret --from-literal=bindPassword=\"{{ ocp4_idm_ldap_bindPassword }}\" -n openshift-config"
45 |
46 | - name: '[OCP4-POST-OAUTH][OCP4-LDAP] Update OAuth Configuration'
47 | k8s:
48 | state: present
49 | merge_type:
50 | - strategic-merge
51 | - merge
52 | definition: "{{ lookup('template', item ) | from_yaml }}"
53 | loop:
54 | - ./templates/oauth-ldap.j2
55 |
56 | - name: '[OCP4-POST-OAUTH][OCP4-LDAP] Print User Information for OpenTLC LDAP'
57 | debug:
58 | msg: "{{ item }}"
59 | loop:
60 | - "user.info: OpenTLC LDAP Authentication is enabled on this cluster."
61 | - "user.info: Use your OpenTLC user and Password to log into this cluster."
62 | - "user.info: User `{{ ocp4_idm_admin_user }}` is a cluster-admin"
63 |
64 | - name: '[OCP4-POST-OAUTH][OCP4-LDAP] Set up Cluster Admin User'
65 | k8s:
66 | state: present
67 | merge_type:
68 | - strategic-merge
69 | - merge
70 | definition: "{{ lookup('template', './templates/cluster_role_binding.j2') | from_yaml }}"
71 | when: ocp4_idm_admin_user is defined
72 |
--------------------------------------------------------------------------------
/roles/ocp4-post-oauth/tasks/remove-kubeadmin.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: '[POST-OAUTH] Remove kubeadmin tasks'
4 | block:
5 | - name: '[REMOVE-KUBEADMIN] Remove kubeadmin user secret'
6 | k8s:
7 | state: absent
8 | api_version: v1
9 | kind: Secret
10 | namespace: kube-system
11 | name: kubeadmin
12 |
13 | # TODO: should not lock down the own kubeconfig of the local system
14 | #- name: Remove kubeadmin files
15 | # file:
16 | # state: absent
17 | # path: "{{ user_path }}/auth/{{ item }}"
18 | # loop:
19 | # - kubeadmin-password
20 | # - kubeconfig
21 | when:
22 | - ocp4_htpasswd_admin_user is defined
23 | - ocp4_remove_kubeadmin | bool
24 |
--------------------------------------------------------------------------------
/roles/ocp4-post-oauth/tasks/remove-self-provisioner.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | # TODO: Convert this with the OC module
4 | #- oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth || true
5 | #
6 | - name: '[POST-OAUTH][SELF PROVISIONER] Remove the self provisioner'
7 | shell: "{{ user_path }}/oc adm policy remove-cluster-role-from-group self-provisioner system:authenticated:oauth || true"
8 | environment:
9 | KUBECONFIG: "{{ kubeconfig }}"
10 |
--------------------------------------------------------------------------------
/roles/ocp4-post-oauth/templates/cluster_role_binding.j2:
--------------------------------------------------------------------------------
1 | kind: ClusterRoleBinding
2 | apiVersion: rbac.authorization.k8s.io/v1
3 | metadata:
4 | name: "cluster-admin-{{ ocp4_htpasswd_admin_user }}"
5 | roleRef:
6 | apiGroup: rbac.authorization.k8s.io
7 | kind: ClusterRole
8 | name: cluster-admin
9 | subjects:
10 | - apiGroup: rbac.authorization.k8s.io
11 | kind: User
12 | name: "{{ ocp4_htpasswd_admin_user }}"
13 |
--------------------------------------------------------------------------------
/roles/ocp4-post-oauth/templates/google-openid-client-secret.j2:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | data:
3 | clientSecret: ${google-clientsecret}
4 | kind: Secret
5 | metadata:
6 | name: openid-client-secret-qa
7 | namespace: openshift-config
8 | type: Opaque
9 |
--------------------------------------------------------------------------------
/roles/ocp4-post-oauth/templates/htpasswd.j2:
--------------------------------------------------------------------------------
1 | {{ ocp4_htpasswd_admin_user }}:{{ ocp4_htpasswd_admin_password }}
2 | {{ ocp4_htpasswd_dev_user }}:{{ ocp4_htpasswd_dev_password }}
3 |
--------------------------------------------------------------------------------
/roles/ocp4-post-oauth/templates/oauth-google.j2:
--------------------------------------------------------------------------------
1 | apiVersion: config.openshift.io/v1
2 | kind: OAuth
3 | metadata:
4 | name: cluster
5 | spec:
6 | tokenConfig:
7 | accessTokenMaxAgeSeconds: 2700
8 | identityProviders:
9 | - mappingMethod: add
10 | name: openid
11 | openID:
12 | claims:
13 | email:
14 | - email
15 | name:
16 | - name
17 | preferredUsername:
18 | - preferred_username
19 | clientID: ${clientID}
20 | clientSecret:
21 | name: google-openid-client-secret
22 | extraScopes: []
23 | issuer: ${issuer}
24 | type: OpenID
25 |
--------------------------------------------------------------------------------
/roles/ocp4-post-oauth/templates/oauth-htpasswd.yml:
--------------------------------------------------------------------------------
1 | apiVersion: config.openshift.io/v1
2 | kind: OAuth
3 | metadata:
4 | name: cluster
5 | spec:
6 | identityProviders:
7 | - name: htpasswd_provider
8 | challenge: true
9 | login: true
10 | mappingMethod: claim
11 | type: HTPasswd
12 | htpasswd:
13 | fileData:
14 | name: htpasswd-secret
--------------------------------------------------------------------------------
/roles/ocp4-post-oauth/templates/oauth-ldap.j2:
--------------------------------------------------------------------------------
1 | apiVersion: config.openshift.io/v1
2 | kind: OAuth
3 | metadata:
4 | name: cluster
5 | spec:
6 | identityProviders:
7 | - name: ldapidp
8 | challenge: true
9 | login: true
10 | mappingMethod: claim
11 | type: LDAP
12 | ldap:
13 | attributes:
14 | id:
15 | - dn
16 | email:
17 | - mail
18 | name:
19 | - cn
20 | preferredUsername:
21 | - uid
22 | bindDN: "{{ ocp4_idm_ldap_bind_dn }}"
23 | bindPassword:
24 | name: ldap-secret
25 | insecure: false
26 | ca:
27 | name: ldap-ca-cert
28 | url: "{{ ocp4_idm_ldap_url }}"
29 |
--------------------------------------------------------------------------------
/roles/ocp4-post-ocs/.travis.yml:
--------------------------------------------------------------------------------
1 | ---
2 | language: python
3 | python: "2.7"
4 |
5 | # Use the new container infrastructure
6 | sudo: false
7 |
8 | # Install ansible
9 | addons:
10 | apt:
11 | packages:
12 | - python-pip
13 |
14 | install:
15 | # Install ansible
16 | - pip install ansible
17 |
18 | # Check ansible version
19 | - ansible --version
20 |
21 | # Create ansible.cfg with correct roles_path
22 | - printf '[defaults]\nroles_path=../' >ansible.cfg
23 |
24 | script:
25 | # Basic role syntax check
26 | - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
27 |
28 | notifications:
29 | webhooks: https://galaxy.ansible.com/api/v1/notifications/
--------------------------------------------------------------------------------
/roles/ocp4-post-ocs/README.md:
--------------------------------------------------------------------------------
1 | Role Name
2 | =========
3 |
4 | A brief description of the role goes here.
5 |
6 | Requirements
7 | ------------
8 |
9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
10 |
11 | Role Variables
12 | --------------
13 |
14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
15 |
16 | Dependencies
17 | ------------
18 |
19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
20 |
21 | Example Playbook
22 | ----------------
23 |
24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
25 |
26 | - hosts: servers
27 | roles:
28 | - { role: username.rolename, x: 42 }
29 |
30 | License
31 | -------
32 |
33 | BSD
34 |
35 | Author Information
36 | ------------------
37 |
38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed).
39 |
--------------------------------------------------------------------------------
/roles/ocp4-post-ocs/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # defaults file for ocp4-post-ocs
--------------------------------------------------------------------------------
/roles/ocp4-post-ocs/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # handlers file for ocp4-post-ocs
--------------------------------------------------------------------------------
/roles/ocp4-post-ocs/meta/main.yml:
--------------------------------------------------------------------------------
1 | galaxy_info:
2 | author: your name
3 | description: your role description
4 | company: your company (optional)
5 |
6 | # If the issue tracker for your role is not on github, uncomment the
7 | # next line and provide a value
8 | # issue_tracker_url: http://example.com/issue/tracker
9 |
10 | # Choose a valid license ID from https://spdx.org - some suggested licenses:
11 | # - BSD-3-Clause (default)
12 | # - MIT
13 | # - GPL-2.0-or-later
14 | # - GPL-3.0-only
15 | # - Apache-2.0
16 | # - CC-BY-4.0
17 | license: license (GPL-2.0-or-later, MIT, etc)
18 |
19 | min_ansible_version: 2.9
20 |
21 | # If this a Container Enabled role, provide the minimum Ansible Container version.
22 | # min_ansible_container_version:
23 |
24 | #
25 | # Provide a list of supported platforms, and for each platform a list of versions.
26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'.
27 | # To view available platforms and versions (or releases), visit:
28 | # https://galaxy.ansible.com/api/v1/platforms/
29 | #
30 | # platforms:
31 | # - name: Fedora
32 | # versions:
33 | # - all
34 | # - 25
35 | # - name: SomePlatform
36 | # versions:
37 | # - all
38 | # - 1.0
39 | # - 7
40 | # - 99.99
41 |
42 | galaxy_tags: []
43 | # List tags for your role here, one per line. A tag is a keyword that describes
44 | # and categorizes the role. Users find roles by searching for tags. Be sure to
45 | # remove the '[]' above, if you add tags to this list.
46 | #
47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
48 | # Maximum 20 tags per role.
49 |
50 | dependencies: []
51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above,
52 | # if you add dependencies to this list.
53 |
--------------------------------------------------------------------------------
/roles/ocp4-post-ocs/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # tasks file for ocp4-post-ocs
3 |
4 | # TODO: Add some tests!
5 | - name: "Create OperatorGroup"
6 | k8s:
7 | state: present
8 | definition: "{{ lookup('template', 'operatorgroup.yml.j2') }}"
9 |
10 | - name: "Create Subscription"
11 | k8s:
12 | state: present
13 | definition: "{{ lookup('template', 'subscription.yml.j2') }}"
14 |
15 | - name: "Wait for Ceph CRD's to exist"
16 | k8s_info:
17 | api_version: "apiextensions.k8s.io/v1beta1"
18 | kind: CustomResourceDefinition
19 | name: "{{ item }}"
20 | loop: "{{ ceph_expected_crds }}"
21 | register: crds
22 | until: crds.resources|length > 0
23 | retries: 30
24 | delay: 10
25 |
26 | - name: "Create StorageCluster"
27 | k8s:
28 | state: present
29 | definition: "{{ lookup('template', 'storagecluster.yml.j2') }}"
30 |
31 | - name: workload Tasks Complete
32 | debug:
33 | msg: workload Tasks Complete
34 |
--------------------------------------------------------------------------------
/roles/ocp4-post-ocs/templates/operatorgroup.yml.j2:
--------------------------------------------------------------------------------
1 | apiVersion: operators.coreos.com/v1
2 | kind: OperatorGroup
3 | metadata:
4 | name: ocs-operatorgroup
5 | namespace: {{ ceph_namespace }}
6 | spec:
7 | targetNamespaces:
8 | - {{ ceph_namespace }}
9 |
10 |
--------------------------------------------------------------------------------
/roles/ocp4-post-ocs/templates/storagecluster.yml.j2:
--------------------------------------------------------------------------------
1 | apiVersion: ocs.openshift.io/v1
2 | kind: StorageCluster
3 | metadata:
4 | namespace: {{ ceph_namespace }}
5 | name: ocs-storagecluster
6 | spec:
7 | manageNodes: false
8 | resources:
9 | mon:
10 | requests:
11 | cpu: {{ ceph_mon.resources.requests.cpu }}
12 | memory: {{ ceph_mon.resources.requests.memory }}
13 | mds:
14 | requests:
15 | cpu: {{ ceph_mds.resources.requests.cpu }}
16 | memory: {{ ceph_mds.resources.requests.memory }}
17 | mgr:
18 | requests:
19 | cpu: {{ ceph_mgr.resources.requests.cpu }}
20 | memory: {{ ceph_mgr.resources.requests.memory }}
21 | noobaa-core:
22 | requests:
23 | cpu: {{ noobaa_core.resources.requests.cpu }}
24 | memory: {{ noobaa_core.resources.requests.memory }}
25 | noobaa-db:
26 | requests:
27 | cpu: {{ noobaa_db.resources.requests.cpu }}
28 | memory: {{ noobaa_db.resources.requests.memory }}
29 | storageDeviceSets:
30 | - name: ocs-deviceset
31 | count: 1
32 | replica: 3
33 | resources:
34 | requests:
35 | cpu: {{ ceph_osd.resources.requests.cpu }}
36 | memory: {{ ceph_osd.resources.requests.memory }}
37 | placement: {}
38 | dataPVCTemplate:
39 | spec:
40 | storageClassName: gp2
41 | accessModes:
42 | - ReadWriteOnce
43 | volumeMode: Block
44 | resources:
45 | requests:
46 | storage: {{ ceph_storage_requests| default('200Gi') }}
47 | portable: true
48 |
49 |
--------------------------------------------------------------------------------
/roles/ocp4-post-ocs/templates/subscription.yml.j2:
--------------------------------------------------------------------------------
1 | apiVersion: operators.coreos.com/v1alpha1
2 | kind: Subscription
3 | metadata:
4 | name: ocs-operator-subscription
5 | namespace: {{ ceph_namespace }}
6 | spec:
7 | channel: {{ ocs_operator_channel }}
8 | installPlanApproval: Automatic
9 | name: ocs-operator
10 | source: {{ ocs_source }}
11 | sourceNamespace: {{ ocs_source_namespace }}
12 |
13 |
--------------------------------------------------------------------------------
/roles/ocp4-post-ocs/tests/inventory:
--------------------------------------------------------------------------------
1 | localhost
2 |
3 |
--------------------------------------------------------------------------------
/roles/ocp4-post-ocs/tests/test.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: localhost
3 | remote_user: root
4 | roles:
5 | - ocp4-post-ocs
--------------------------------------------------------------------------------
/roles/ocp4-post-ocs/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # vars file for ocp4-post-ocs
3 |
4 |
5 | ceph_namespace: openshift-storage
6 | ceph_expected_crds:
7 | - ocsinitializations.ocs.openshift.io
8 | - storageclusters.ocs.openshift.io
9 | - storageclusterinitializations.ocs.openshift.io
10 |
11 | ceph_osd:
12 | resources:
13 | requests:
14 | cpu: '0.1'
15 | memory: 2Gi
16 | ceph_mon:
17 | resources:
18 | requests:
19 | cpu: '0.2'
20 | memory: 3Gi
21 | ceph_mgr:
22 | resources:
23 | requests:
24 | cpu: '0.2'
25 | memory: 3Gi
26 | ceph_mds:
27 | resources:
28 | requests:
29 | cpu: '0.1'
30 | memory: 2Gi
31 | noobaa_core:
32 | resources:
33 | requests:
34 | cpu: '0.2'
35 | memory: 2Gi
36 | noobaa_db:
37 | resources:
38 | requests:
39 | cpu: '0.2'
40 | memory: 2Gi
41 | ocs_operator_channel: stable-4.2
42 | ceph_storage_requests: 100Gi
43 | ocs_source_namespace: openshift-marketplace
44 | ocs_source: redhat-operators
45 |
--------------------------------------------------------------------------------
/roles/ocp4-post-project-template-request/.travis.yml:
--------------------------------------------------------------------------------
1 | ---
2 | language: python
3 | python: "2.7"
4 |
5 | # Use the new container infrastructure
6 | sudo: false
7 |
8 | # Install ansible
9 | addons:
10 | apt:
11 | packages:
12 | - python-pip
13 |
14 | install:
15 | # Install ansible
16 | - pip install ansible
17 |
18 | # Check ansible version
19 | - ansible --version
20 |
21 | # Create ansible.cfg with correct roles_path
22 | - printf '[defaults]\nroles_path=../' >ansible.cfg
23 |
24 | script:
25 | # Basic role syntax check
26 | - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
27 |
28 | notifications:
29 | webhooks: https://galaxy.ansible.com/api/v1/notifications/
--------------------------------------------------------------------------------
/roles/ocp4-post-project-template-request/README.md:
--------------------------------------------------------------------------------
1 | Role Name
2 | =========
3 |
4 | A brief description of the role goes here.
5 |
6 | Requirements
7 | ------------
8 |
9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
10 |
11 | Role Variables
12 | --------------
13 |
14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
15 |
16 | Dependencies
17 | ------------
18 |
19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
20 |
21 | Example Playbook
22 | ----------------
23 |
24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
25 |
26 | - hosts: servers
27 | roles:
28 | - { role: username.rolename, x: 42 }
29 |
30 | License
31 | -------
32 |
33 | BSD
34 |
35 | Author Information
36 | ------------------
37 |
38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed).
39 |
--------------------------------------------------------------------------------
/roles/ocp4-post-project-template-request/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # defaults file for ocp4-post-project-template-request
3 |
4 | #become_override: False
5 | #ocp_username: opentlc-mgr
6 | #silent: False
7 |
8 | # Added in vars/vars.yml files
9 | #
10 | #install_limit_range: True
11 | #install_network_policies: True
12 | #install_resource_quota: True
13 | #project_request_template_project_limits:
14 | # - type: Container
15 | # max:
16 | # cpu: 2
17 | # memory: 2Gi
18 | # default:
19 | # cpu: 500m
20 | # memory: 500Mi
21 | # defaultRequest:
22 | # cpu: 50m
23 | # memory: 256Mi
24 | # - type: Pod
25 | # max:
26 | # cpu: 2
27 | # memory: 4Gi
28 | #project_request_template_resource_quota:
29 | # pods: 10
30 | # requests.cpu: 4000m
31 | # requests.memory: 8Gi
32 | # resourcequotas: 1
33 | # requests.storage: 50Gi
34 | # persistentvolumeclaims: 5
35 |
--------------------------------------------------------------------------------
/roles/ocp4-post-project-template-request/files/openshift-ingress-namespaces.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | labels:
5 | network-policy: "global"
6 | name: openshift-ingress
7 |
--------------------------------------------------------------------------------
/roles/ocp4-post-project-template-request/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # tasks file for ocp4-post-project-template-request
3 |
4 | - name: '[POSTINSTALL][PROJECT-REQUEST-TEMPLATE] Create and enable Project Request Template'
5 | k8s:
6 | state: present
7 | merge_type:
8 | - strategic-merge
9 | - merge
10 | definition: "{{ lookup('template', item ) | from_yaml }}"
11 | loop:
12 | - ./templates/project_request_template.j2
13 | - ./templates/project_request_config.j2
14 |
15 | - name: '[POSTINSTALL][PROJECT-REQUEST-TEMPLATE] Add label to openshift-ingress project'
16 | k8s:
17 | state: present
18 | merge_type:
19 | - strategic-merge
20 | - merge
21 | definition: "{{ lookup('file', item ) | from_yaml }}"
22 | loop:
23 | - ./files/openshift-ingress-namespaces.yaml
24 | when: install_network_policies | bool
25 |
--------------------------------------------------------------------------------
/roles/ocp4-post-project-template-request/templates/project_request_config.j2:
--------------------------------------------------------------------------------
1 | apiVersion: config.openshift.io/v1
2 | kind: Project
3 | metadata:
4 | name: cluster
5 | namespace: openshift-config
6 | spec:
7 | projectRequestMessage: "{{ project_request_message }}"
8 | projectRequestTemplate:
9 | name: project-request
10 |
--------------------------------------------------------------------------------
/roles/ocp4-post-project-template-request/templates/project_request_template.j2:
--------------------------------------------------------------------------------
1 | apiVersion: template.openshift.io/v1
2 | kind: Template
3 | metadata:
4 | name: project-request
5 | namespace: openshift-config
6 | objects:
7 | {% if install_limit_range|bool %}
8 | - apiVersion: v1
9 | kind: LimitRange
10 | metadata:
11 | name: ${PROJECT_NAME}-limit-range
12 | namespace: ${PROJECT_NAME}
13 | spec:
14 | limits: {{ project_request_template_project_limits | to_json }}
15 | {% endif %}
16 | {% if install_resource_quota|bool %}
17 | - apiVersion: v1
18 | kind: ResourceQuota
19 | metadata:
20 | name: ${PROJECT_NAME}-resource-quota
21 | namespace: ${PROJECT_NAME}
22 | spec:
23 | hard: {{ project_request_template_resource_quota | to_json }}
24 | {% endif %}
25 | {% if install_network_policies|bool %}
26 | - kind: NetworkPolicy
27 | apiVersion: networking.k8s.io/v1
28 | metadata:
29 | name: allow-from-all-namespaces
30 | spec:
31 | podSelector: {}
32 | ingress:
33 | - from:
34 | - namespaceSelector: {}
35 | - apiVersion: networking.k8s.io/v1
36 | kind: NetworkPolicy
37 | metadata:
38 | name: allow-from-ingress-namespace
39 | spec:
40 | podSelector:
41 | ingress:
42 | - from:
43 | - namespaceSelector:
44 | matchLabels:
45 | network-policy: global
46 | {% endif %}
47 | - apiVersion: project.openshift.io/v1
48 | kind: Project
49 | metadata:
50 | annotations:
51 | openshift.io/description: ${PROJECT_DESCRIPTION}
52 | openshift.io/display-name: ${PROJECT_DISPLAYNAME}
53 | openshift.io/requester: ${PROJECT_REQUESTING_USER}
54 | openshift.io/node-selector: node-role.kubernetes.io/apps=
55 | name: ${PROJECT_NAME}
56 | spec: {}
57 | status: {}
58 | - apiVersion: rbac.authorization.k8s.io/v1
59 | kind: RoleBinding
60 | metadata:
61 | annotations:
62 | openshift.io/description: Allows all pods in this namespace to pull images from
63 | this namespace. It is auto-managed by a controller; remove subjects to disable.
64 | name: system:image-pullers
65 | namespace: ${PROJECT_NAME}
66 | roleRef:
67 | apiGroup: rbac.authorization.k8s.io
68 | kind: ClusterRole
69 | name: system:image-puller
70 | subjects:
71 | - apiGroup: rbac.authorization.k8s.io
72 | kind: Group
73 | name: system:serviceaccounts:${PROJECT_NAME}
74 | - apiVersion: rbac.authorization.k8s.io/v1
75 | kind: RoleBinding
76 | metadata:
77 | annotations:
78 | openshift.io/description: Allows builds in this namespace to push images to
79 | this namespace. It is auto-managed by a controller; remove subjects to disable.
80 | name: system:image-builders
81 | namespace: ${PROJECT_NAME}
82 | roleRef:
83 | apiGroup: rbac.authorization.k8s.io
84 | kind: ClusterRole
85 | name: system:image-builder
86 | subjects:
87 | - kind: ServiceAccount
88 | name: builder
89 | namespace: ${PROJECT_NAME}
90 | - apiVersion: rbac.authorization.k8s.io/v1
91 | kind: RoleBinding
92 | metadata:
93 | annotations:
94 | openshift.io/description: Allows deploymentconfigs in this namespace to rollout
95 | pods in this namespace. It is auto-managed by a controller; remove subjects
96 | to disable.
97 | name: system:deployers
98 | namespace: ${PROJECT_NAME}
99 | roleRef:
100 | apiGroup: rbac.authorization.k8s.io
101 | kind: ClusterRole
102 | name: system:deployer
103 | subjects:
104 | - kind: ServiceAccount
105 | name: deployer
106 | namespace: ${PROJECT_NAME}
107 | - apiVersion: rbac.authorization.k8s.io/v1
108 | kind: RoleBinding
109 | metadata:
110 | name: admin
111 | namespace: ${PROJECT_NAME}
112 | roleRef:
113 | apiGroup: rbac.authorization.k8s.io
114 | kind: ClusterRole
115 | name: admin
116 | subjects:
117 | - apiGroup: rbac.authorization.k8s.io
118 | kind: User
119 | name: ${PROJECT_ADMIN_USER}
120 | parameters:
121 | - name: PROJECT_NAME
122 | - name: PROJECT_DISPLAYNAME
123 | - name: PROJECT_DESCRIPTION
124 | - name: PROJECT_ADMIN_USER
125 | - name: PROJECT_REQUESTING_USER
126 |
--------------------------------------------------------------------------------
/roles/ocp4-post-project-template-request/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # vars file for ocp4-post-project-template-request
--------------------------------------------------------------------------------
/roles/ocp4-post-registry/.travis.yml:
--------------------------------------------------------------------------------
1 | ---
2 | language: python
3 | python: "2.7"
4 |
5 | # Use the new container infrastructure
6 | sudo: false
7 |
8 | # Install ansible
9 | addons:
10 | apt:
11 | packages:
12 | - python-pip
13 |
14 | install:
15 | # Install ansible
16 | - pip install ansible
17 |
18 | # Check ansible version
19 | - ansible --version
20 |
21 | # Create ansible.cfg with correct roles_path
22 | - printf '[defaults]\nroles_path=../' >ansible.cfg
23 |
24 | script:
25 | # Basic role syntax check
26 | - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
27 |
28 | notifications:
29 | webhooks: https://galaxy.ansible.com/api/v1/notifications/
--------------------------------------------------------------------------------
/roles/ocp4-post-registry/README.md:
--------------------------------------------------------------------------------
1 | Role Name
2 | =========
3 |
4 | A brief description of the role goes here.
5 |
6 | Requirements
7 | ------------
8 |
9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
10 |
11 | Role Variables
12 | --------------
13 |
14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
15 |
16 | Dependencies
17 | ------------
18 |
19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
20 |
21 | Example Playbook
22 | ----------------
23 |
24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
25 |
26 | - hosts: servers
27 | roles:
28 | - { role: username.rolename, x: 42 }
29 |
30 | License
31 | -------
32 |
33 | BSD
34 |
35 | Author Information
36 | ------------------
37 |
38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed).
39 |
--------------------------------------------------------------------------------
/roles/ocp4-post-registry/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # tasks file for ocp4-post-registry
3 |
4 | - name: Move registry to infra nodes
5 | k8s:
6 | kubeconfig: "{{ kubeconfig }}"
7 | state: present
8 | merge_type: merge
9 | name: cluster
10 | kind: Config
11 | api_version: imageregistry.operator.openshift.io/v1
12 | definition:
13 | spec:
14 | nodeSelector:
15 | node-role.kubernetes.io/infra: ""
16 |
--------------------------------------------------------------------------------
/roles/ocp4-post-registry/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # vars file for ocp4-post-registry
--------------------------------------------------------------------------------
/roles/ocp4-post-rhsso/.travis.yml:
--------------------------------------------------------------------------------
1 | ---
2 | language: python
3 | python: "2.7"
4 |
5 | # Use the new container infrastructure
6 | sudo: false
7 |
8 | # Install ansible
9 | addons:
10 | apt:
11 | packages:
12 | - python-pip
13 |
14 | install:
15 | # Install ansible
16 | - pip install ansible
17 |
18 | # Check ansible version
19 | - ansible --version
20 |
21 | # Create ansible.cfg with correct roles_path
22 | - printf '[defaults]\nroles_path=../' >ansible.cfg
23 |
24 | script:
25 | # Basic role syntax check
26 | - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
27 |
28 | notifications:
29 | webhooks: https://galaxy.ansible.com/api/v1/notifications/
--------------------------------------------------------------------------------
/roles/ocp4-post-rhsso/README.md:
--------------------------------------------------------------------------------
1 | Role Name
2 | =========
3 |
4 | A brief description of the role goes here.
5 |
6 | Requirements
7 | ------------
8 |
9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
10 |
11 | Role Variables
12 | --------------
13 |
14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
15 |
16 | Dependencies
17 | ------------
18 |
19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
20 |
21 | Example Playbook
22 | ----------------
23 |
24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
25 |
26 | - hosts: servers
27 | roles:
28 | - { role: username.rolename, x: 42 }
29 |
30 | License
31 | -------
32 |
33 | BSD
34 |
35 | Author Information
36 | ------------------
37 |
38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed).
39 |
--------------------------------------------------------------------------------
/roles/ocp4-post-rhsso/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # defaults file for ocp4-post-rhsso
--------------------------------------------------------------------------------
/roles/ocp4-post-rhsso/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # handlers file for ocp4-post-rhsso
--------------------------------------------------------------------------------
/roles/ocp4-post-rhsso/meta/main.yml:
--------------------------------------------------------------------------------
1 | galaxy_info:
2 | author: your name
3 | description: your role description
4 | company: your company (optional)
5 |
6 | # If the issue tracker for your role is not on github, uncomment the
7 | # next line and provide a value
8 | # issue_tracker_url: http://example.com/issue/tracker
9 |
10 | # Choose a valid license ID from https://spdx.org - some suggested licenses:
11 | # - BSD-3-Clause (default)
12 | # - MIT
13 | # - GPL-2.0-or-later
14 | # - GPL-3.0-only
15 | # - Apache-2.0
16 | # - CC-BY-4.0
17 | license: license (GPL-2.0-or-later, MIT, etc)
18 |
19 | min_ansible_version: 2.9
20 |
21 | # If this a Container Enabled role, provide the minimum Ansible Container version.
22 | # min_ansible_container_version:
23 |
24 | #
25 | # Provide a list of supported platforms, and for each platform a list of versions.
26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'.
27 | # To view available platforms and versions (or releases), visit:
28 | # https://galaxy.ansible.com/api/v1/platforms/
29 | #
30 | # platforms:
31 | # - name: Fedora
32 | # versions:
33 | # - all
34 | # - 25
35 | # - name: SomePlatform
36 | # versions:
37 | # - all
38 | # - 1.0
39 | # - 7
40 | # - 99.99
41 |
42 | galaxy_tags: []
43 | # List tags for your role here, one per line. A tag is a keyword that describes
44 | # and categorizes the role. Users find roles by searching for tags. Be sure to
45 | # remove the '[]' above, if you add tags to this list.
46 | #
47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
48 | # Maximum 20 tags per role.
49 |
50 | dependencies: []
51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above,
52 | # if you add dependencies to this list.
53 |
--------------------------------------------------------------------------------
/roles/ocp4-post-rhsso/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # tasks file for ocp4-post-rhsso
--------------------------------------------------------------------------------
/roles/ocp4-post-rhsso/tests/inventory:
--------------------------------------------------------------------------------
1 | localhost
2 |
3 |
--------------------------------------------------------------------------------
/roles/ocp4-post-rhsso/tests/test.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: localhost
3 | remote_user: root
4 | roles:
5 | - ocp4-post-rhsso
--------------------------------------------------------------------------------
/roles/ocp4-post-rhsso/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # vars file for ocp4-post-rhsso
--------------------------------------------------------------------------------
/roles/ocp4-post-routesharding/README.md:
--------------------------------------------------------------------------------
1 | Role Name
2 | =========
3 |
4 | A brief description of the role goes here.
5 |
6 | Requirements
7 | ------------
8 |
9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
10 |
11 | Role Variables
12 | --------------
13 |
14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
15 |
16 | Dependencies
17 | ------------
18 |
19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
20 |
21 | Example Playbook
22 | ----------------
23 |
24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
25 |
26 | - hosts: servers
27 | roles:
28 | - { role: username.rolename, x: 42 }
29 |
30 | License
31 | -------
32 |
33 | BSD
34 |
35 | Author Information
36 | ------------------
37 |
38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed).
39 |
--------------------------------------------------------------------------------
/roles/ocp4-post-routesharding/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # handlers file for ocp4-post-routesharding
--------------------------------------------------------------------------------
/roles/ocp4-post-routesharding/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # tasks file for ocp4-post-routesharding
3 | #
4 |
5 | - import_tasks: router.yml
6 | when: infra_nodes | bool
7 |
8 | #- import_tasks: ingress.yml
9 |
10 |
--------------------------------------------------------------------------------
/roles/ocp4-post-routesharding/tasks/router.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: Move routers to infra nodes
4 | k8s:
5 | kubeconfig: "{{ kubeconfig }}"
6 | state: present
7 | merge_type: merge
8 | name: default
9 | namespace: openshift-ingress-operator
10 | kind: ingresscontroller
11 | api_version: operator.openshift.io/v1
12 | definition:
13 | spec:
14 | nodePlacement:
15 | nodeSelector:
16 | matchLabels:
17 | node-role.kubernetes.io/infra: ""
18 |
--------------------------------------------------------------------------------
/roles/ocp4-post-routesharding/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # vars file for ocp4-post-routesharding
--------------------------------------------------------------------------------
/roles/ocp4-post-service-mesh/.travis.yml:
--------------------------------------------------------------------------------
1 | ---
2 | language: python
3 | python: "2.7"
4 |
5 | # Use the new container infrastructure
6 | sudo: false
7 |
8 | # Install ansible
9 | addons:
10 | apt:
11 | packages:
12 | - python-pip
13 |
14 | install:
15 | # Install ansible
16 | - pip install ansible
17 |
18 | # Check ansible version
19 | - ansible --version
20 |
21 | # Create ansible.cfg with correct roles_path
22 | - printf '[defaults]\nroles_path=../' >ansible.cfg
23 |
24 | script:
25 | # Basic role syntax check
26 | - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
27 |
28 | notifications:
29 | webhooks: https://galaxy.ansible.com/api/v1/notifications/
--------------------------------------------------------------------------------
/roles/ocp4-post-service-mesh/README.md:
--------------------------------------------------------------------------------
1 | Role Name
2 | =========
3 |
4 | A brief description of the role goes here.
5 |
6 | Requirements
7 | ------------
8 |
9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
10 |
11 | Role Variables
12 | --------------
13 |
14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
15 |
16 | Dependencies
17 | ------------
18 |
19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
20 |
21 | Example Playbook
22 | ----------------
23 |
24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
25 |
26 | - hosts: servers
27 | roles:
28 | - { role: username.rolename, x: 42 }
29 |
30 | License
31 | -------
32 |
33 | BSD
34 |
35 | Author Information
36 | ------------------
37 |
38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed).
39 |
--------------------------------------------------------------------------------
/roles/ocp4-post-service-mesh/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # defaults file for service-mesh
3 |
4 | servicemesh_operators:
5 | - elasticsearch-operator
6 | - jaegar-operator
7 | - kiali-operator
8 | - servicemesh-operator
9 |
10 | servicemesh_namespace: istio-system
11 |
--------------------------------------------------------------------------------
/roles/ocp4-post-service-mesh/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # handlers file for ocp4-post-service-mesh
--------------------------------------------------------------------------------
/roles/ocp4-post-service-mesh/meta/main.yml:
--------------------------------------------------------------------------------
1 | galaxy_info:
2 | author: your name
3 | description: your role description
4 | company: your company (optional)
5 |
6 | # If the issue tracker for your role is not on github, uncomment the
7 | # next line and provide a value
8 | # issue_tracker_url: http://example.com/issue/tracker
9 |
10 | # Choose a valid license ID from https://spdx.org - some suggested licenses:
11 | # - BSD-3-Clause (default)
12 | # - MIT
13 | # - GPL-2.0-or-later
14 | # - GPL-3.0-only
15 | # - Apache-2.0
16 | # - CC-BY-4.0
17 | license: license (GPL-2.0-or-later, MIT, etc)
18 |
19 | min_ansible_version: 2.9
20 |
21 | # If this a Container Enabled role, provide the minimum Ansible Container version.
22 | # min_ansible_container_version:
23 |
24 | #
25 | # Provide a list of supported platforms, and for each platform a list of versions.
26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'.
27 | # To view available platforms and versions (or releases), visit:
28 | # https://galaxy.ansible.com/api/v1/platforms/
29 | #
30 | # platforms:
31 | # - name: Fedora
32 | # versions:
33 | # - all
34 | # - 25
35 | # - name: SomePlatform
36 | # versions:
37 | # - all
38 | # - 1.0
39 | # - 7
40 | # - 99.99
41 |
42 | galaxy_tags: []
43 | # List tags for your role here, one per line. A tag is a keyword that describes
44 | # and categorizes the role. Users find roles by searching for tags. Be sure to
45 | # remove the '[]' above, if you add tags to this list.
46 | #
47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
48 | # Maximum 20 tags per role.
49 |
50 | dependencies: []
51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above,
52 | # if you add dependencies to this list.
53 |
--------------------------------------------------------------------------------
/roles/ocp4-post-service-mesh/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: '[POSTINSTALL][SERVICE-MESH] Create Namespace'
4 | k8s:
5 | state: present
6 | definition: "{{ lookup('template', 'servicemesh-namespace.yml') }}"
7 |
8 | - name: '[POSTINSTALL][SERVICE-MESH] Install Operators required for ServiceMesh'
9 | k8s:
10 | state: present
11 | definition: "{{ lookup('template', '{{ item }}.yml') }}"
12 | namespace: "openshift-operators"
13 | loop: "{{ servicemesh_operators }}"
14 |
15 | - name: '[POSTINSTALL][SERVICE-MESH]Make sure the operators are all installed'
16 | command: "{{ container_dir }}/tools/oc get clusterserviceversions -n istio-system -o custom-columns='PHASE:status.phase' --no-headers"
17 | register: servicemesh_operator_status
18 | changed_when: false
19 | vars:
20 | operator_count: "{{ servicemesh_operator_status.stdout_lines | length }}"
21 | succeeded_count: "{{ servicemesh_operator_status.stdout | regex_findall('Succeeded') | length }}"
22 | until:
23 | - servicemesh_operator_status.stdout_lines
24 | - operator_count == succeeded_count
25 | delay: 10
26 | retries: 60
27 |
28 | - name: '[POSTINSTALL][SERVICE-MESH]Install istio servicemesh control plane'
29 | k8s:
30 | state: present
31 | definition: "{{ lookup('template', 'istio-installation.yml') }}"
32 |
33 | - name: '[POSTINSTALL][SERVICE-MESH] Get ServiceMeshMemberRoll object'
34 | k8s_info:
35 | api_version: maistra.io/v1
36 | kind: ServiceMeshMemberRoll
37 | register: reg_servicemesh_member_roll
38 |
39 | # Only install the default servicemesh member roll if once doesn't exist
40 | - name: '[POSTINSTALL][SERVICE-MESH]Install istio servicemesh member roll'
41 | k8s:
42 | state: present
43 | definition: "{{ lookup('template', 'istio-memberroll.yml') }}"
44 | when:
45 | - not reg_servicemesh_member_roll.resources
46 |
--------------------------------------------------------------------------------
/roles/ocp4-post-service-mesh/templates/elasticsearch-operator.yml:
--------------------------------------------------------------------------------
1 | apiVersion: operators.coreos.com/v1alpha1
2 | kind: Subscription
3 | metadata:
4 | name: elasticsearch-operator
5 | namespace: istio-system
6 | spec:
7 | channel: "4.4"
8 | installPlanApproval: Automatic
9 | name: elasticsearch-operator
10 | source: redhat-operators
11 | sourceNamespace: openshift-marketplace
12 |
--------------------------------------------------------------------------------
/roles/ocp4-post-service-mesh/templates/istio-installation.yml:
--------------------------------------------------------------------------------
1 | apiVersion: maistra.io/v1
2 | kind: ServiceMeshControlPlane
3 | metadata:
4 | name: ocp4-mesh
5 | namespace: istio-system
6 | spec:
7 |
8 | istio:
9 | global:
10 | proxy:
11 | resources:
12 | requests:
13 | cpu: 100m
14 | memory: 128Mi
15 | limits:
16 | cpu: 500m
17 | memory: 128Mi
18 | mtls:
19 | enabled: true
20 | gateways:
21 | istio-egressgateway:
22 | autoscaleEnabled: false
23 | istio-ingressgateway:
24 | autoscaleEnabled: false
25 |
26 | mixer:
27 | policy:
28 | autoscaleEnabled: false
29 |
30 | telemetry:
31 | autoscaleEnabled: false
32 | resources:
33 | requests:
34 | cpu: 100m
35 | memory: 1G
36 | limits:
37 | cpu: 500m
38 | memory: 4G
39 |
40 | pilot:
41 | autoscaleEnabled: false
42 | traceSampling: 100
43 |
44 | kiali:
45 | enabled: true
46 |
47 | grafana:
48 | enabled: true
49 |
50 | tracing:
51 | enabled: true
52 | jaeger:
53 | template: production-elasticsearch
54 | elasticsearch:
55 | nodeCount: 3
56 | redundancyPolicy: "SingleRedundancy"
57 | storage:
58 | size: "100G"
59 | resources:
60 | requests:
61 | cpu: "1"
62 | memory: "4Gi"
63 | limits:
64 | cpu: "1"
65 | memory: "4Gi"
66 |
--------------------------------------------------------------------------------
/roles/ocp4-post-service-mesh/templates/istio-memberroll.yml:
--------------------------------------------------------------------------------
1 | apiVersion: maistra.io/v1
2 | kind: ServiceMeshMemberRoll
3 | metadata:
4 | name: default
5 | namespace: istio-system
6 | spec:
7 | members:
8 | - your-project
9 |
--------------------------------------------------------------------------------
/roles/ocp4-post-service-mesh/templates/jaegar-operator.yml:
--------------------------------------------------------------------------------
1 | apiVersion: operators.coreos.com/v1alpha1
2 | kind: Subscription
3 | metadata:
4 | name: jaeger-product
5 | spec:
6 | channel: stable
7 | installPlanApproval: Automatic
8 | name: jaeger-product
9 | source: redhat-operators
10 | sourceNamespace: openshift-marketplace
11 |
--------------------------------------------------------------------------------
/roles/ocp4-post-service-mesh/templates/kiali-operator.yml:
--------------------------------------------------------------------------------
1 | apiVersion: operators.coreos.com/v1alpha1
2 | kind: Subscription
3 | metadata:
4 | name: kiali-ossm
5 | spec:
6 | channel: stable
7 | installPlanApproval: Automatic
8 | name: kiali-ossm
9 | source: redhat-operators
10 | sourceNamespace: openshift-marketplace
11 |
--------------------------------------------------------------------------------
/roles/ocp4-post-service-mesh/templates/servicemesh-namespace.yml:
--------------------------------------------------------------------------------
1 | apiVersion: project.openshift.io/v1
2 | kind: Project
3 | metadata:
4 | name: istio-system
5 | spec:
6 | finalizers:
7 | - kubernetes
8 |
--------------------------------------------------------------------------------
/roles/ocp4-post-service-mesh/templates/servicemesh-operator.yml:
--------------------------------------------------------------------------------
1 | apiVersion: operators.coreos.com/v1alpha1
2 | kind: Subscription
3 | metadata:
4 | name: servicemesh-operator
5 | spec:
6 | channel: "1.0"
7 | installPlanApproval: Automatic
8 | name: servicemeshoperator
9 | source: redhat-operators
10 | sourceNamespace: openshift-marketplace
11 |
12 |
--------------------------------------------------------------------------------
/roles/ocp4-post-service-mesh/tests/inventory:
--------------------------------------------------------------------------------
1 | localhost
2 |
3 |
--------------------------------------------------------------------------------
/roles/ocp4-post-service-mesh/tests/test.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: localhost
3 | remote_user: root
4 | roles:
5 | - ocp4-post-service-mesh
--------------------------------------------------------------------------------
/roles/ocp4-post-service-mesh/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # vars file for ocp4-post-service-mesh
--------------------------------------------------------------------------------
/roles/ocp4-post-tekton/.travis.yml:
--------------------------------------------------------------------------------
1 | ---
2 | language: python
3 | python: "2.7"
4 |
5 | # Use the new container infrastructure
6 | sudo: false
7 |
8 | # Install ansible
9 | addons:
10 | apt:
11 | packages:
12 | - python-pip
13 |
14 | install:
15 | # Install ansible
16 | - pip install ansible
17 |
18 | # Check ansible version
19 | - ansible --version
20 |
21 | # Create ansible.cfg with correct roles_path
22 | - printf '[defaults]\nroles_path=../' >ansible.cfg
23 |
24 | script:
25 | # Basic role syntax check
26 | - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
27 |
28 | notifications:
29 | webhooks: https://galaxy.ansible.com/api/v1/notifications/
--------------------------------------------------------------------------------
/roles/ocp4-post-tekton/README.md:
--------------------------------------------------------------------------------
1 | Role Name
2 | =========
3 |
4 | A brief description of the role goes here.
5 |
6 | Requirements
7 | ------------
8 |
9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
10 |
11 | Role Variables
12 | --------------
13 |
14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
15 |
16 | Dependencies
17 | ------------
18 |
19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
20 |
21 | Example Playbook
22 | ----------------
23 |
24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
25 |
26 | - hosts: servers
27 | roles:
28 | - { role: username.rolename, x: 42 }
29 |
30 | License
31 | -------
32 |
33 | BSD
34 |
35 | Author Information
36 | ------------------
37 |
38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed).
39 |
--------------------------------------------------------------------------------
/roles/ocp4-post-tekton/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # defaults file for ocp4-post-tekton
3 |
4 | silent: False
5 |
6 | # Defaults values below are for OpenShift Pipelines 1.0.1 (Tech Preview)
7 |
8 | # Version of tkn to be installed on the bastion host
9 | # tkn 0.9.0 maps to OpenShift Pipelines 1.0.1
10 |
11 | # Channel to use for the OpenShift pipelines subscription
12 | ocp4_workload_pipelines_channel: "ocp-4.4"
13 |
14 | # Set automatic InstallPlan approval. If set to false it is also suggested
15 | # to set the starting_csv to pin a specific version
16 | # This variable has no effect when using a catalog snapshot (always true)
17 | ocp4_workload_pipelines_automatic_install_plan_approval: true
18 |
19 | # Set a starting ClusterServiceVersion.
20 | # Recommended to leave empty to get latest in the channel when not using
21 | # a catalog snapshot.
22 | # Highly recommended to be set when using a catalog snapshot but can be
23 | # empty to get the latest available in the channel at the time when
24 | # the catalog snapshot got created.
25 | ocp4_workload_pipelines_starting_csv: ""
26 |
27 | # Use a catalog snapshot
28 | ocp4_workload_pipelines_use_catalog_snapshot: false
29 |
30 | # Catalog Source Name when using a catalog snapshot. This should be unique
31 | # in the cluster to avoid clashes
32 | ocp4_workload_pipelines_catalogsource_name: redhat-operators-snapshot-pipelines
33 |
34 | # Catalog snapshot image
35 | ocp4_workload_pipelines_catalog_snapshot_image: quay.io/gpte-devops-automation/olm_snapshot_redhat_catalog
36 |
37 | # Catalog snapshot image tag
38 | ocp4_workload_pipelines_catalog_snapshot_image_tag: "v4.4_2020_07_23"
39 |
--------------------------------------------------------------------------------
/roles/ocp4-post-tekton/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # handlers file for ocp4-post-tekton
--------------------------------------------------------------------------------
/roles/ocp4-post-tekton/meta/main.yml:
--------------------------------------------------------------------------------
1 | galaxy_info:
2 | author: your name
3 | description: your role description
4 | company: your company (optional)
5 |
6 | # If the issue tracker for your role is not on github, uncomment the
7 | # next line and provide a value
8 | # issue_tracker_url: http://example.com/issue/tracker
9 |
10 | # Choose a valid license ID from https://spdx.org - some suggested licenses:
11 | # - BSD-3-Clause (default)
12 | # - MIT
13 | # - GPL-2.0-or-later
14 | # - GPL-3.0-only
15 | # - Apache-2.0
16 | # - CC-BY-4.0
17 | license: license (GPL-2.0-or-later, MIT, etc)
18 |
19 | min_ansible_version: 2.9
20 |
21 | # If this a Container Enabled role, provide the minimum Ansible Container version.
22 | # min_ansible_container_version:
23 |
24 | #
25 | # Provide a list of supported platforms, and for each platform a list of versions.
26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'.
27 | # To view available platforms and versions (or releases), visit:
28 | # https://galaxy.ansible.com/api/v1/platforms/
29 | #
30 | # platforms:
31 | # - name: Fedora
32 | # versions:
33 | # - all
34 | # - 25
35 | # - name: SomePlatform
36 | # versions:
37 | # - all
38 | # - 1.0
39 | # - 7
40 | # - 99.99
41 |
42 | galaxy_tags: []
43 | # List tags for your role here, one per line. A tag is a keyword that describes
44 | # and categorizes the role. Users find roles by searching for tags. Be sure to
45 | # remove the '[]' above, if you add tags to this list.
46 | #
47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
48 | # Maximum 20 tags per role.
49 |
50 | dependencies: []
51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above,
52 | # if you add dependencies to this list.
53 |
--------------------------------------------------------------------------------
/roles/ocp4-post-tekton/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # tasks file for ocp4-post-tekton
3 |
4 | - name: Create Catalogsource for use with catalog snapshot
5 | when: ocp4_workload_pipelines_use_catalog_snapshot | bool
6 | k8s:
7 | state: present
8 | definition: "{{ lookup('template', './templates/catalogsource.j2' ) | from_yaml }}"
9 |
10 | - name: Create OpenShift Pipelines subscription
11 | k8s:
12 | state: present
13 | definition: "{{ lookup('template', './templates/subscription.j2' ) | from_yaml }}"
14 |
15 | - name: Wait until InstallPlan is created
16 | k8s_info:
17 | api_version: operators.coreos.com/v1alpha1
18 | kind: InstallPlan
19 | namespace: openshift-operators
20 | register: r_install_plans
21 | vars:
22 | _query: >-
23 | [?starts_with(spec.clusterServiceVersionNames[0], 'openshift-pipelines-operator')]
24 | retries: 30
25 | delay: 5
26 | until:
27 | - r_install_plans.resources | length > 0
28 | - r_install_plans.resources | to_json | from_json | json_query(_query)
29 |
30 | - name: Set InstallPlan Name
31 | set_fact:
32 | ocp4_workload_pipelines_install_plan_name: "{{ r_install_plans.resources | to_json | from_json | json_query(query) }}"
33 | vars:
34 | query: >-
35 | [?starts_with(spec.clusterServiceVersionNames[0], 'openshift-pipelines-operator')].metadata.name|[0]
36 | - name: Get InstallPlan
37 | k8s_info:
38 | api_version: operators.coreos.com/v1alpha1
39 | kind: InstallPlan
40 | name: "{{ ocp4_workload_pipelines_install_plan_name }}"
41 | namespace: openshift-operators
42 | register: r_install_plan
43 |
44 | - name: Approve InstallPlan if necessary
45 | when: r_install_plan.resources[0].status.phase is match("RequiresApproval")
46 | k8s:
47 | state: present
48 | definition: "{{ lookup( 'template', './templates/installplan.j2' ) }}"
49 |
50 | - name: Get Installed CSV
51 | k8s_info:
52 | api_version: operators.coreos.com/v1alpha1
53 | kind: Subscription
54 | name: openshift-pipelines-operator-rh
55 | namespace: openshift-operators
56 | register: r_subscription
57 | retries: 30
58 | delay: 5
59 | until:
60 | - r_subscription.resources[0].status.currentCSV is defined
61 | - r_subscription.resources[0].status.currentCSV | length > 0
62 |
63 | - name: Wait until CSV is Installed
64 | k8s_info:
65 | api_version: operators.coreos.com/v1alpha1
66 | kind: ClusterServiceVersion
67 | name: "{{ r_subscription.resources[0].status.currentCSV }}"
68 | namespace: openshift-operators
69 | register: r_csv
70 | retries: 15
71 | delay: 5
72 | until:
73 | - r_csv.resources[0].status.phase is defined
74 | - r_csv.resources[0].status.phase | length > 0
75 | - r_csv.resources[0].status.phase == "Succeeded"
76 |
77 | - name: Wait until Pipelines Pods are ready
78 | k8s_info:
79 | api_version: v1
80 | kind: Deployment
81 | namespace: "openshift-pipelines"
82 | name: "tekton-pipelines-controller"
83 | register: r_pipeline_controller_deployment
84 | retries: 30
85 | delay: 10
86 | until:
87 | - r_pipeline_controller_deployment.resources | length | int > 0
88 | - r_pipeline_controller_deployment.resources[0].status.availableReplicas is defined
89 | - r_pipeline_controller_deployment.resources[0].status.availableReplicas | int == r_pipeline_controller_deployment.resources[0].spec.replicas | int
90 |
91 |
--------------------------------------------------------------------------------
/roles/ocp4-post-tekton/templates/catalogsource.j2:
--------------------------------------------------------------------------------
1 | apiVersion: operators.coreos.com/v1alpha1
2 | kind: CatalogSource
3 | metadata:
4 | name: "{{ ocp4_workload_pipelines_catalogsource_name }}"
5 | namespace: openshift-operators
6 | spec:
7 | sourceType: grpc
8 | image: "{{ ocp4_workload_pipelines_catalog_snapshot_image }}:{{ ocp4_workload_pipelines_catalog_snapshot_image_tag }}"
9 | displayName: "{{ ocp4_workload_pipelines_catalogsource_name }}"
10 |
--------------------------------------------------------------------------------
/roles/ocp4-post-tekton/templates/installplan.j2:
--------------------------------------------------------------------------------
1 | apiVersion: operators.coreos.com/v1alpha1
2 | kind: InstallPlan
3 | metadata:
4 | name: "{{ ocp4_workload_pipelines_install_plan_name }}"
5 | namespace: openshift-operators
6 | spec:
7 | approved: true
8 |
--------------------------------------------------------------------------------
/roles/ocp4-post-tekton/templates/subscription.j2:
--------------------------------------------------------------------------------
1 | apiVersion: operators.coreos.com/v1alpha1
2 | kind: Subscription
3 | metadata:
4 | name: openshift-pipelines-operator-rh
5 | namespace: openshift-operators
6 | spec:
7 | channel: "{{ ocp4_workload_pipelines_channel }}"
8 | {% if ocp4_workload_pipelines_automatic_install_plan_approval | default(True) | bool and not ocp4_workload_pipelines_use_catalog_snapshot | default(False) | bool %}
9 | installPlanApproval: Automatic
10 | {% else %}
11 | installPlanApproval: Manual
12 | {% endif %}
13 | name: openshift-pipelines-operator-rh
14 | {% if ocp4_workload_pipelines_use_catalog_snapshot | default(False) | bool %}
15 | source: "{{ ocp4_workload_pipelines_catalogsource_name }}"
16 | sourceNamespace: openshift-operators
17 | {% else %}
18 | source: redhat-operators
19 | sourceNamespace: openshift-marketplace
20 | {% endif %}
21 | {% if ocp4_workload_pipelines_starting_csv | d("") | length > 0 %}
22 | startingCSV: "{{ ocp4_workload_pipelines_starting_csv }}"
23 | {% endif %}
24 |
--------------------------------------------------------------------------------
/roles/ocp4-post-tekton/tests/inventory:
--------------------------------------------------------------------------------
1 | localhost
2 |
3 |
--------------------------------------------------------------------------------
/roles/ocp4-post-tekton/tests/test.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: localhost
3 | remote_user: root
4 | roles:
5 | - ocp4-post-tekton
--------------------------------------------------------------------------------
/roles/ocp4-post-tekton/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # vars file for ocp4-post-tekton
--------------------------------------------------------------------------------
/roles/ocp4-post-worker-nodes/README.md:
--------------------------------------------------------------------------------
1 | Role Name
2 | =========
3 |
4 | A brief description of the role goes here.
5 |
6 | Requirements
7 | ------------
8 |
9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
10 |
11 | Role Variables
12 | --------------
13 |
14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
15 |
16 | Dependencies
17 | ------------
18 |
19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
20 |
21 | Example Playbook
22 | ----------------
23 |
24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
25 |
26 | - hosts: servers
27 | roles:
28 | - { role: username.rolename, x: 42 }
29 |
30 | License
31 | -------
32 |
33 | BSD
34 |
35 | Author Information
36 | ------------------
37 |
38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed).
39 |
--------------------------------------------------------------------------------
/roles/ocp4-post-worker-nodes/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # defaults file for ocp4-post
--------------------------------------------------------------------------------
/roles/ocp4-post-worker-nodes/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # handlers file for ocp4-post
--------------------------------------------------------------------------------
/roles/ocp4-post-worker-nodes/meta/main.yml:
--------------------------------------------------------------------------------
1 | galaxy_info:
2 | author: your name
3 | description: your role description
4 | company: your company (optional)
5 |
6 | # If the issue tracker for your role is not on github, uncomment the
7 | # next line and provide a value
8 | # issue_tracker_url: http://example.com/issue/tracker
9 |
10 | # Choose a valid license ID from https://spdx.org - some suggested licenses:
11 | # - BSD-3-Clause (default)
12 | # - MIT
13 | # - GPL-2.0-or-later
14 | # - GPL-3.0-only
15 | # - Apache-2.0
16 | # - CC-BY-4.0
17 | license: license (GPL-2.0-or-later, MIT, etc)
18 |
19 | min_ansible_version: 2.9
20 |
21 | # If this a Container Enabled role, provide the minimum Ansible Container version.
22 | # min_ansible_container_version:
23 |
24 | #
25 | # Provide a list of supported platforms, and for each platform a list of versions.
26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'.
27 | # To view available platforms and versions (or releases), visit:
28 | # https://galaxy.ansible.com/api/v1/platforms/
29 | #
30 | # platforms:
31 | # - name: Fedora
32 | # versions:
33 | # - all
34 | # - 25
35 | # - name: SomePlatform
36 | # versions:
37 | # - all
38 | # - 1.0
39 | # - 7
40 | # - 99.99
41 |
42 | galaxy_tags: []
43 | # List tags for your role here, one per line. A tag is a keyword that describes
44 | # and categorizes the role. Users find roles by searching for tags. Be sure to
45 | # remove the '[]' above, if you add tags to this list.
46 | #
47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
48 | # Maximum 20 tags per role.
49 |
50 | dependencies: []
51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above,
52 | # if you add dependencies to this list.
53 |
--------------------------------------------------------------------------------
/roles/ocp4-post-worker-nodes/tasks/config.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | # https://access.redhat.com/solutions/4287111
4 | - name: '[POSTINSTALL][WORKER-NODES] Apply the application label to the worker nodes'
5 | k8s:
6 | kubeconfig: "{{ kubeconfig }}"
7 | api_version: v1
8 | kind: Node
9 | name: "{{ node.metadata.name }}"
10 | definition:
11 | metadata:
12 | labels:
13 | 'node-role.kubernetes.io/apps': ""
14 | loop: "{{ nodedata.resources }}"
15 | loop_control:
16 | loop_var: node
17 | when:
18 | - node.metadata.labels['node-role.kubernetes.io/worker'] is defined
19 | - node.metadata.labels['node-role.kubernetes.io/infra'] is not defined
20 |
21 | - name: '[POSTINSTALL][WORKER-NODES] Grab the machinesets'
22 | k8s_info:
23 | kubeconfig: "{{ kubeconfig }}"
24 | api_version: machine.openshift.io/v1beta1
25 | kind: MachineSet
26 | namespace: openshift-machine-api
27 | register: machinesets
28 |
29 | - name: '[POSTINSTALL][WORKER-NODES] Apply the same label to the default worker machineset stanza'
30 | k8s:
31 | kubeconfig: "{{ kubeconfig }}"
32 | api_version: machine.openshift.io/v1beta1
33 | kind: MachineSet
34 | name: "{{ machineset.metadata.name }}"
35 | namespace: openshift-machine-api
36 | definition:
37 | spec:
38 | template:
39 | spec:
40 | metadata:
41 | labels:
42 | 'node-role.kubernetes.io/apps': ""
43 | loop: "{{ machinesets.resources }}"
44 | loop_control:
45 | loop_var: machineset
46 | when: machineset.metadata.name is search ("worker")
47 |
48 | # https://access.redhat.com/solutions/4233311
49 | - name: '[POSTINSTALL][WORKER-NODES] Set the default node selector to application - can be overridden with ns annotations'
50 | k8s:
51 | kubeconfig: "{{ kubeconfig }}"
52 | api_version: config.openshift.io/v1
53 | merge_type: merge
54 | kind: Scheduler
55 | name: cluster
56 | definition:
57 | spec:
58 | defaultNodeSelector: 'node-role.kubernetes.io/apps='
59 |
60 | ## Default Node Selector disabled, used project request template with apps= label instead
61 | # https://access.redhat.com/solutions/4233311
62 | #- name: '[POSTINSTALL][WORKER-NODES] Set the default node selector to application - can be overridden with ns annotations'
63 | # k8s:
64 | # kubeconfig: "{{ kubeconfig }}"
65 | # api_version: config.openshift.io/v1
66 | # merge_type: merge
67 | # kind: Scheduler
68 | # name: cluster
69 | # definition:
70 | # spec:
71 | # defaultNodeSelector: 'node-role.kubernetes.io/apps='
72 |
--------------------------------------------------------------------------------
/roles/ocp4-post-worker-nodes/tasks/fetch_info.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - name: '[POSTINSTALL][WORKER-NODES] Interrogate cluster'
4 | k8s_info:
5 | kubeconfig: "{{ kubeconfig }}"
6 | api_version: config.openshift.io/v1
7 | kind: Infrastructure
8 | name: cluster
9 | register: infradata
10 |
11 | - name: '[POSTINSTALL][WORKER-NODES] Capture nodes'
12 | k8s_info:
13 | kubeconfig: "{{ kubeconfig }}"
14 | kind: Node
15 | register: nodedata
16 |
--------------------------------------------------------------------------------
/roles/ocp4-post-worker-nodes/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - import_tasks: fetch_info.yml
4 | - import_tasks: config.yml
5 |
6 |
--------------------------------------------------------------------------------
/roles/ocp4-post-worker-nodes/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # vars file for ocp4-post
--------------------------------------------------------------------------------
/roles/ocp4-uninstall/.travis.yml:
--------------------------------------------------------------------------------
1 | ---
2 | language: python
3 | python: "2.7"
4 |
5 | # Use the new container infrastructure
6 | sudo: false
7 |
8 | # Install ansible
9 | addons:
10 | apt:
11 | packages:
12 | - python-pip
13 |
14 | install:
15 | # Install ansible
16 | - pip install ansible
17 |
18 | # Check ansible version
19 | - ansible --version
20 |
21 | # Create ansible.cfg with correct roles_path
22 | - printf '[defaults]\nroles_path=../' >ansible.cfg
23 |
24 | script:
25 | # Basic role syntax check
26 | - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
27 |
28 | notifications:
29 | webhooks: https://galaxy.ansible.com/api/v1/notifications/
--------------------------------------------------------------------------------
/roles/ocp4-uninstall/README.md:
--------------------------------------------------------------------------------
1 | Role Name
2 | =========
3 |
4 | A brief description of the role goes here.
5 |
6 | Requirements
7 | ------------
8 |
9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
10 |
11 | Role Variables
12 | --------------
13 |
14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
15 |
16 | Dependencies
17 | ------------
18 |
19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
20 |
21 | Example Playbook
22 | ----------------
23 |
24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
25 |
26 | - hosts: servers
27 | roles:
28 | - { role: username.rolename, x: 42 }
29 |
30 | License
31 | -------
32 |
33 | BSD
34 |
35 | Author Information
36 | ------------------
37 |
38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed).
39 |
--------------------------------------------------------------------------------
/roles/ocp4-uninstall/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # defaults file for ocp4-uninstall
--------------------------------------------------------------------------------
/roles/ocp4-uninstall/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # handlers file for ocp4-uninstall
--------------------------------------------------------------------------------
/roles/ocp4-uninstall/meta/main.yml:
--------------------------------------------------------------------------------
1 | galaxy_info:
2 | author: your name
3 | description: your role description
4 | company: your company (optional)
5 |
6 | # If the issue tracker for your role is not on github, uncomment the
7 | # next line and provide a value
8 | # issue_tracker_url: http://example.com/issue/tracker
9 |
10 | # Choose a valid license ID from https://spdx.org - some suggested licenses:
11 | # - BSD-3-Clause (default)
12 | # - MIT
13 | # - GPL-2.0-or-later
14 | # - GPL-3.0-only
15 | # - Apache-2.0
16 | # - CC-BY-4.0
17 | license: license (GPL-2.0-or-later, MIT, etc)
18 |
19 | min_ansible_version: 2.9
20 |
21 | # If this a Container Enabled role, provide the minimum Ansible Container version.
22 | # min_ansible_container_version:
23 |
24 | #
25 | # Provide a list of supported platforms, and for each platform a list of versions.
26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'.
27 | # To view available platforms and versions (or releases), visit:
28 | # https://galaxy.ansible.com/api/v1/platforms/
29 | #
30 | # platforms:
31 | # - name: Fedora
32 | # versions:
33 | # - all
34 | # - 25
35 | # - name: SomePlatform
36 | # versions:
37 | # - all
38 | # - 1.0
39 | # - 7
40 | # - 99.99
41 |
42 | galaxy_tags: []
43 | # List tags for your role here, one per line. A tag is a keyword that describes
44 | # and categorizes the role. Users find roles by searching for tags. Be sure to
45 | # remove the '[]' above, if you add tags to this list.
46 | #
47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
48 | # Maximum 20 tags per role.
49 |
50 | dependencies: []
51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above,
52 | # if you add dependencies to this list.
53 |
--------------------------------------------------------------------------------
/roles/ocp4-uninstall/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | - import_tasks: uninstall.yml
4 | when:
5 | - uninstall_ocp is defined
6 |
--------------------------------------------------------------------------------
/roles/ocp4-uninstall/tasks/uninstall.yml:
--------------------------------------------------------------------------------
1 | ---
2 |
3 | #- name: '[UNINSTALL_CLUSTER] Create a user-writable directory for tools'
4 | # file:
5 | # name: "{{ user_path }}"
6 | # state: directory
7 | #
8 | #- name: '[OCP4-INSTALL] Download the required ocp4 tooling'
9 | # get_url:
10 | # url: "{{ var_installer_baseurl }}/{{ pkg }}"
11 | # dest: "{{ user_path }}/{{ pkg }}"
12 | # loop:
13 | # - "{{ var_installer_program }}"
14 | # - "{{ var_installer_clienttools }}"
15 | # loop_control:
16 | # loop_var: pkg
17 | # register: ocp4_files
18 | #
19 | #- name: '[OCP4-INSTALL] Create a user-writable directory for tools'
20 | # file:
21 | # name: "{{ user_path }}"
22 | # state: directory
23 | #
24 | #- name: '[OCP4-INSTALL] Ensure downloaded installers are unarchived'
25 | # unarchive:
26 | # src: "{{ user_path }}/{{ pkg }}"
27 | # dest: "{{ user_path }}"
28 | # loop:
29 | # - "{{ var_installer_program }}"
30 | # - "{{ var_installer_clienttools }}"
31 | # loop_control:
32 | # loop_var: pkg
33 | # when: ocp4_files.changed
34 |
35 | - name: '[INSTALL_CONFIG] Unarchive tower installation files to uninstall after'
36 | unarchive:
37 | src: "{{ tower_path }}/{{ cluster_name }}-{{ ocp_cluster }}-install.gz"
38 | dest: "{{ user_path }}"
39 | when:
40 | - tower_used is defined
41 | - tower_used | bool
42 |
43 | - shell:
44 | cmd: "ls -lhrt {{ user_path }}"
45 |
46 | #- pause:
47 | # minutes: 10
48 |
49 | - name: '[UNINSTALL_CLUSTER] Uninstalling...'
50 | shell:
51 | cmd: "{{ user_path }}/openshift-install destroy cluster --dir {{ user_path }}"
52 | removes: "{{ user_path }}/terraform.tfstate"
53 |
54 | - name: '[UNINSTALL_CLUSTER] Remove working directory'
55 | file:
56 | path: "{{ user_path }}"
57 | state: absent
58 |
59 | - name: '[UNINSTALL_CLUSTER] Remove copied kubeconfig'
60 | file:
61 | path: "{{ local_kubeconfig }}"
62 | state: absent
63 | when:
64 | - tower_used is defined
65 | - tower_used | bool
66 |
--------------------------------------------------------------------------------
/roles/ocp4-uninstall/tests/inventory:
--------------------------------------------------------------------------------
1 | localhost
2 |
3 |
--------------------------------------------------------------------------------
/roles/ocp4-uninstall/tests/test.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: localhost
3 | remote_user: root
4 | roles:
5 | - ocp4-uninstall
--------------------------------------------------------------------------------
/roles/ocp4-uninstall/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | var_installer_baseurl: 'https://mirror.openshift.com/pub/openshift-v4/clients/ocp/{{ ocp4_version }}'
3 | var_installer_program: 'openshift-install-linux-{{ ocp4_version }}.tar.gz'
4 | var_installer_clienttools: 'openshift-client-linux-{{ ocp4_version }}.tar.gz'
5 |
--------------------------------------------------------------------------------
/roles/ocp4-upgrade/.travis.yml:
--------------------------------------------------------------------------------
1 | ---
2 | language: python
3 | python: "2.7"
4 |
5 | # Use the new container infrastructure
6 | sudo: false
7 |
8 | # Install ansible
9 | addons:
10 | apt:
11 | packages:
12 | - python-pip
13 |
14 | install:
15 | # Install ansible
16 | - pip install ansible
17 |
18 | # Check ansible version
19 | - ansible --version
20 |
21 | # Create ansible.cfg with correct roles_path
22 | - printf '[defaults]\nroles_path=../' >ansible.cfg
23 |
24 | script:
25 | # Basic role syntax check
26 | - ansible-playbook tests/test.yml -i tests/inventory --syntax-check
27 |
28 | notifications:
29 | webhooks: https://galaxy.ansible.com/api/v1/notifications/
--------------------------------------------------------------------------------
/roles/ocp4-upgrade/README.md:
--------------------------------------------------------------------------------
1 | Role Name
2 | =========
3 |
4 | A brief description of the role goes here.
5 |
6 | Requirements
7 | ------------
8 |
9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
10 |
11 | Role Variables
12 | --------------
13 |
14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
15 |
16 | Dependencies
17 | ------------
18 |
19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
20 |
21 | Example Playbook
22 | ----------------
23 |
24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
25 |
26 | - hosts: servers
27 | roles:
28 | - { role: username.rolename, x: 42 }
29 |
30 | License
31 | -------
32 |
33 | BSD
34 |
35 | Author Information
36 | ------------------
37 |
38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed).
39 |
--------------------------------------------------------------------------------
/roles/ocp4-upgrade/defaults/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # defaults file for ocp4-upgrade
--------------------------------------------------------------------------------
/roles/ocp4-upgrade/handlers/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # handlers file for ocp4-upgrade
--------------------------------------------------------------------------------
/roles/ocp4-upgrade/meta/main.yml:
--------------------------------------------------------------------------------
1 | galaxy_info:
2 | author: your name
3 | description: your role description
4 | company: your company (optional)
5 |
6 | # If the issue tracker for your role is not on github, uncomment the
7 | # next line and provide a value
8 | # issue_tracker_url: http://example.com/issue/tracker
9 |
10 | # Choose a valid license ID from https://spdx.org - some suggested licenses:
11 | # - BSD-3-Clause (default)
12 | # - MIT
13 | # - GPL-2.0-or-later
14 | # - GPL-3.0-only
15 | # - Apache-2.0
16 | # - CC-BY-4.0
17 | license: license (GPL-2.0-or-later, MIT, etc)
18 |
19 | min_ansible_version: 2.9
20 |
21 | # If this a Container Enabled role, provide the minimum Ansible Container version.
22 | # min_ansible_container_version:
23 |
24 | #
25 | # Provide a list of supported platforms, and for each platform a list of versions.
26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'.
27 | # To view available platforms and versions (or releases), visit:
28 | # https://galaxy.ansible.com/api/v1/platforms/
29 | #
30 | # platforms:
31 | # - name: Fedora
32 | # versions:
33 | # - all
34 | # - 25
35 | # - name: SomePlatform
36 | # versions:
37 | # - all
38 | # - 1.0
39 | # - 7
40 | # - 99.99
41 |
42 | galaxy_tags: []
43 | # List tags for your role here, one per line. A tag is a keyword that describes
44 | # and categorizes the role. Users find roles by searching for tags. Be sure to
45 | # remove the '[]' above, if you add tags to this list.
46 | #
47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
48 | # Maximum 20 tags per role.
49 |
50 | dependencies: []
51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above,
52 | # if you add dependencies to this list.
53 |
--------------------------------------------------------------------------------
/roles/ocp4-upgrade/tasks/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # tasks file for ocp4-upgrade
--------------------------------------------------------------------------------
/roles/ocp4-upgrade/tests/inventory:
--------------------------------------------------------------------------------
1 | localhost
2 |
3 |
--------------------------------------------------------------------------------
/roles/ocp4-upgrade/tests/test.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - hosts: localhost
3 | remote_user: root
4 | roles:
5 | - ocp4-upgrade
--------------------------------------------------------------------------------
/roles/ocp4-upgrade/vars/main.yml:
--------------------------------------------------------------------------------
1 | ---
2 | # vars file for ocp4-upgrade
--------------------------------------------------------------------------------
/undeploy.yml:
--------------------------------------------------------------------------------
1 | ---
2 | - name: '[OCP4-AUTO-INSTALL] Remove an Openshift4 cluster'
3 | hosts: localhost
4 | connection: local
5 | vars_files:
6 | - vars/vars.yml
7 | tasks:
8 | - name: '[UNINSTALL] Uninstall of the OCP4 Cluster'
9 | include_role:
10 | name: "ocp4-uninstall"
11 | when:
12 | - uninstall_ocp is defined
13 | - uninstall_ocp | bool
14 |
--------------------------------------------------------------------------------
/vars/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rcarrata/ocp4-auto-install/a69adc48365daef02616fc09cbc63ae4453774c7/vars/.gitkeep
--------------------------------------------------------------------------------
/vars/vars-backup.yml:
--------------------------------------------------------------------------------
1 | ---
2 | #### Cluster Vars
3 | ocp4_version: '4.4.5'
4 | cloud_provider: 'ec2'
5 | cluster_name: 'rcarrata-ocp'
6 | ocp4_base_domain: 'b8a1.sandbox1648.opentlc.com'
7 | aws_region: eu-central-1
8 | master_instance_type: m5.xlarge
9 | master_instance_count: 3
10 | worker_instance_type: m5.xlarge
11 | worker_instance_count: 3
12 | kubeconfig: '~/.kube/ocp4-opentlc2'
13 | machineCIDR: "10.0.0.0/16"
14 | #kubeconfig: "{{ user_path }}/auth/kubeconfig"
15 |
16 | #### Only in Tower-mode
17 | tower_used: True
18 | local_kubeconfig: '~/.kube/{{ cluster_name }}'
19 | ocp_cluster: ocpdr
20 |
21 | #### Install Vars
22 | awscli-download: False
23 | prereqs: False
24 | uninstall_ocp: False # VERY CAREFUL WITH THIS VAR :)
25 |
26 | #### Post Install Vars
27 | only_post_install: False
28 |
29 | # Worker Nodes
30 | worker_nodes: False
31 |
32 | # Infra Nodes
33 | infra_nodes: False
34 | infra_disk_size: 1024
35 | infra_instance_type: r5.xlarge
36 |
37 | # ELK infra nodes
38 | elk_nodes: False
39 |
40 | # OAuth
41 | #oauth: htpasswd
42 | oauth: False
43 | ocp4_htpasswd_admin_user: admin
44 | ocp4_htpasswd_dev_user: developer
45 |
46 | ocp4_remove_kubeadmin: False
47 | removeselfprovisioning: True
48 |
49 | # Logging
50 | logging: True
51 | clo_node_selector: "node-role.kubernetes.io/infra="
52 | es_channel: 4.3 #Define the ES version of the operator
53 | clo_channel: 4.3 #Define the ClusterLogging version of the operator
54 |
55 | # Monitoring
56 | monitoring: False
57 | prom_retention: 1w
58 | prometheus_gp2_storage: 40Gi
59 | alertmanager_gp2_storage: 40Gi
60 |
61 | # Registry
62 | registry: False
63 |
64 | # ProjectRequestTemplate
65 | project_request_template: True
66 | project_request_message: "To provision namespace ask to Openshift 4 Administrators"
67 | install_limit_range: True
68 | install_network_policies: True
69 | install_resource_quota: True
70 | project_request_template_project_limits:
71 | - type: Container
72 | max:
73 | cpu: 2
74 | memory: 2Gi
75 | default:
76 | cpu: 500m
77 | memory: 500Mi
78 | defaultRequest:
79 | cpu: 50m
80 | memory: 256Mi
81 | - type: Pod
82 | max:
83 | cpu: 2
84 | memory: 4Gi
85 |
86 | project_request_template_resource_quota:
87 | pods: 10
88 | requests.cpu: 4000m
89 | requests.memory: 8Gi
90 | resourcequotas: 1
91 | requests.storage: 50Gi
92 | persistentvolumeclaims: 5
93 |
94 | ### Extra DevOps Or RH Tools
95 |
96 | # ArgoCD
97 | argocd: False
98 | argoclient: False
99 | argocd_version: v1.6.0
100 |
101 | # ServiceMesh
102 | service_mesh: False
103 |
--------------------------------------------------------------------------------
/vars/vars.yml:
--------------------------------------------------------------------------------
1 | ---
2 | #### Cluster Vars
3 | ocp4_version: '4.8.5'
4 | cloud_provider: 'ec2'
5 | cluster_name: 'test8ocp'
6 | ocp4_base_domain: '84b7.sandbox203.opentlc.com'
7 | aws_region: eu-central-1
8 | master_instance_type: m5.xlarge
9 | master_instance_count: 3
10 | worker_instance_type: m5.xlarge
11 | worker_instance_count: 3
12 | #kubeconfig: '~/.kube/ocp4-opentlc2'
13 | machineCIDR: "10.0.0.0/16"
14 | kubeconfig: "{{ user_path }}/auth/kubeconfig"
15 | local_kubeconfig: '~/.kube/{{ cluster_name }}'
16 |
17 | #### Only in Tower-mode
18 | tower_used: False
19 |
20 | #### Install Vars
21 | awscli-download: True
22 | prereqs: True
23 | uninstall_ocp: False # VERY CAREFUL WITH THIS VAR :)
24 |
25 | #### Post Install Vars
26 | #only_post_install: True
27 | only_post_install: False
28 |
29 | # Worker Nodes
30 | worker_nodes: True
31 |
32 | # Infra Nodes
33 | infra_nodes: True
34 | infra_disk_size: 1024
35 | infra_instance_type: m5.xlarge
36 |
37 | # ELK infra nodes
38 | elk_nodes: False
39 |
40 | # OAuth
41 | #oauth: htpasswd
42 | oauth: htpasswd
43 | ocp4_htpasswd_admin_user: admin
44 | ocp4_htpasswd_dev_user: developer
45 |
46 | ocp4_remove_kubeadmin: False
47 | removeselfprovisioning: True
48 |
49 | # Logging
50 | logging: True
51 | clo_node_selector: "node-role.kubernetes.io/infra="
52 | es_channel: stable #Define the ES version of the operator
53 | clo_channel: stable #Define the ClusterLogging version of the operator
54 |
55 | # Monitoring
56 | monitoring: True
57 | prom_retention: 4w
58 | prometheus_gp2_storage: 40Gi
59 | alertmanager_gp2_storage: 40Gi
60 |
61 | # Registry
62 | registry: True
63 |
64 | # ProjectRequestTemplate
65 | project_request_template: True
66 | project_request_message: "To provision namespace ask to Openshift 4 Administrators"
67 | install_limit_range: True
68 | install_network_policies: True
69 | install_resource_quota: True
70 | project_request_template_project_limits:
71 | - type: Container
72 | max:
73 | cpu: 2
74 | memory: 2Gi
75 | default:
76 | cpu: 500m
77 | memory: 500Mi
78 | defaultRequest:
79 | cpu: 50m
80 | memory: 256Mi
81 | - type: Pod
82 | max:
83 | cpu: 2
84 | memory: 4Gi
85 |
86 | project_request_template_resource_quota:
87 | pods: 10
88 | requests.cpu: 4000m
89 | requests.memory: 8Gi
90 | resourcequotas: 1
91 | requests.storage: 50Gi
92 | persistentvolumeclaims: 5
93 |
94 | ### Cert Manager
95 | cmanager: true
96 | cmanager_namespace: cert-manager
97 | cmanager_aws_region: eu-west-1
98 | cmanager_email_admin: rcarrata@redhat.com
99 | cmanager_nodeselector: worker
100 | cmanager_aws_role_name: ocp_cert_manager
101 | cmanager_aws_user: ocp_cert_manager
102 | cmanager_default_certificate: default
103 | cmanager_cert_routes:
104 | # - { route_name: 'internal',
105 | # hostname: 'internal.{{ cluster_name }}.{{ ocp4_base_domain }}' }
106 | - { route_name: 'default',
107 | hostname: 'apps.{{ cluster_name }}.{{ ocp4_base_domain }}' }
108 | # - { route_name: 'publicapps',
109 | # hostname: 'publicapps.{{ cluster_name }}.{{ ocp4_subdomain }}.{{ ocp4_base_domain }}' }
110 | cmanager_label: [OCP_POST-CMANAGER]
111 | # to disable operator choose absent
112 | # disabling operator doesnt remove the certificates
113 | cmanager_state: present
114 | cmanager_chart_version: v1.8.0
115 | ocp4_dnszone: '{{ cluster_name }}.{{ ocp4_base_domain }}'
116 |
117 | ### Extra DevOps Or RH Tools
118 |
119 | # ArgoCD
120 | argocd: True
121 | argoclient: False
122 | argocd_version: v1.8.7
123 |
124 | # ServiceMesh
125 | service_mesh: False
126 |
127 | # ACS
128 | acs: True
129 | acs_demo: False
130 |
--------------------------------------------------------------------------------
/vault/.gitkeep:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/rcarrata/ocp4-auto-install/a69adc48365daef02616fc09cbc63ae4453774c7/vault/.gitkeep
--------------------------------------------------------------------------------