├── .gitignore ├── 200-ushift-create.yaml ├── 210-ushift-destroy.yaml ├── 220-ushift-ostree-update.yaml ├── 230-ushift-app-deployment.yaml ├── 300-update-template-vms.yaml ├── README.md ├── ansible-navigator.yaml ├── ansible.cfg ├── configure-job-templates.yaml ├── configure-oauth-sso.yaml ├── development-example.env ├── development-example.vars ├── dump-inventory.yaml ├── execution-environment-fedora-based.yml ├── execution-environment.yml ├── inventory ├── group_vars │ ├── all.yaml │ ├── cluster_ushift01.yaml │ ├── cluster_ushift02.yaml │ ├── cluster_ushift03.yaml │ ├── cluster_ushift04.yaml │ ├── cluster_ushift05.yaml │ ├── cluster_ushift06.yaml │ ├── cluster_ushift07.yaml │ ├── cluster_ushift08.yaml │ ├── cluster_ushift09.yaml │ ├── cluster_ushift10_eus.yaml │ ├── cluster_ushift11_ga.yaml │ ├── cluster_ushift12_rc.yaml │ ├── cluster_ushift13_ec.yaml │ ├── cluster_ushift14.yaml │ ├── cluster_ushift15_ostree.yaml │ ├── cluster_ushift16_ostree.yaml │ ├── cluster_ushift17_ostree.yaml │ ├── cluster_ushift18_bootc.yaml │ ├── cluster_ushift19_bootc.yaml │ ├── cluster_ushift20.yaml │ ├── cluster_ushift21.yaml │ ├── cluster_ushift22.yaml │ ├── cluster_ushift_imgbld2.yaml │ ├── ove-hackathon-mad.yaml │ └── template_vms.yaml ├── host_vars │ ├── disco.yaml │ ├── isar.yaml │ ├── isar.yaml.backup │ ├── ocp1.yaml │ ├── ocp11.yaml │ ├── ocp12.yaml │ ├── ocp13.yaml │ ├── ocp14.yaml │ ├── ocp2.yaml │ ├── ocp3.yaml │ ├── ocp6.yaml │ ├── ocp7.yaml │ ├── ocp8.yaml │ ├── ocp9.yaml │ ├── ushift-imgbld2.yaml │ ├── ushift01.yaml │ ├── ushift02.yaml │ ├── ushift03.yaml │ ├── ushift04.yaml │ ├── ushift05.yaml │ ├── ushift06.yaml │ ├── ushift07.yaml │ ├── ushift08.yaml │ ├── ushift09.yaml │ ├── ushift10-eus.yaml │ ├── ushift11-ga.yaml │ ├── ushift12-rc.yaml │ ├── ushift13-ec.yaml │ ├── ushift14.yaml │ ├── ushift15-ostree.yaml │ ├── ushift16-ostree.yaml │ ├── ushift17-ostree.yaml │ ├── ushift18-bootc.yaml │ ├── ushift19-bootc.yaml │ ├── ushift20.yaml │ ├── ushift21-qe1.yaml │ └── ushift22.yaml └── hosts.yml ├── isar-baselayer-config ├── 010_namespaces.yaml ├── 015-group.yaml ├── 015-service-accounts.yaml ├── 016-automation-role-cr.yaml ├── 020_rolebindings.yaml ├── 050_allowDataVolumeClone.yaml ├── 060_networkattachments.yaml ├── 100-vm-template-rhel92.yaml ├── 110-vm-template-rhel94.yaml ├── 300-external-secrets.yaml └── README.md ├── media-asset └── aap-inventory-source-repo.png ├── request-cert.yaml ├── roles ├── cluster-hcp │ ├── defaults │ │ └── main.yaml │ └── tasks │ │ ├── deploy-cluster.yaml │ │ └── destroy-cluster.yaml ├── cluster │ ├── README.md │ ├── defaults │ │ └── main.yml │ ├── handlers │ │ └── main.yml │ ├── meta │ │ └── main.yml │ ├── tasks │ │ ├── deploy-cluster.yaml │ │ ├── deploy-vm.yaml │ │ ├── destroy-cluster.yaml │ │ ├── destroy-vm.yaml │ │ ├── download-openshift-artifacts.yml │ │ ├── import-in-acm.yml │ │ ├── post-configuration.yaml │ │ └── remove-from-acm.yml │ ├── templates │ │ ├── agent-config.yaml.j2 │ │ └── install-config.yaml.j2 │ ├── tests │ │ ├── inventory │ │ └── test.yml │ └── vars │ │ └── main.yml ├── feature-coe-sso │ ├── defaults │ │ └── main.yaml │ └── tasks │ │ ├── fetch-cluster-information.yaml │ │ ├── post-deploy-classic.yaml │ │ ├── post-deploy-hosted.yaml │ │ ├── post-deploy.yaml │ │ ├── pre-destroy-classic.yaml │ │ ├── pre-destroy-hosted.yaml │ │ └── pre-destroy.yaml ├── feature-external-secrets │ ├── defaults │ │ └── main.yaml │ ├── files │ │ └── OperatorConfig.yaml │ └── tasks │ │ ├── post-deploy.yaml │ │ └── pre-destroy.yaml ├── feature-kubevirt-csi │ ├── README.md │ ├── controller.yaml │ ├── driver-config.ConfigMap.yaml │ ├── infra-cluster-service-account.yaml │ └── tenent │ │ └── deploy.yaml ├── feature-look-and-feel │ ├── defaults │ │ └── main.yaml │ └── tasks │ │ ├── post-deploy.yaml │ │ └── pre-destroy.yaml ├── feature-lvms │ ├── defaults │ │ └── main.yaml │ └── tasks │ │ ├── add-disk-to-vm.yaml │ │ ├── post-deploy.yaml │ │ └── pre-destroy.yaml ├── feature-manage-with-acm │ ├── README.md │ ├── defaults │ │ └── main.yml │ └── tasks │ │ ├── post-deploy.yaml │ │ └── pre-destroy.yaml ├── feature-redhat-internal-certificate │ ├── defaults │ │ └── main.yaml │ └── tasks │ │ ├── post-deploy.yaml │ │ └── pre-destroy.yaml ├── feature-rhoai │ ├── defaults │ │ └── main.yaml │ └── tasks │ │ ├── post-deploy.yaml │ │ └── pre-destroy.yaml ├── feature-workload-partitioning │ ├── defaults │ │ └── main.yaml │ └── tasks │ │ ├── post-deploy.yaml │ │ └── pre-destroy.yaml ├── internal-fetch-kubeconfig │ ├── defaults │ │ └── main.yaml │ └── tasks │ │ └── main.yaml ├── req-cert-vault │ ├── defaults │ │ └── main.yaml │ └── tasks │ │ ├── main.yaml │ │ ├── request-cert.yaml │ │ └── sent-email.yaml ├── ushift_ostree_on_kubevirt │ ├── README.md │ ├── defaults │ │ └── main.yml │ ├── handlers │ │ └── main.yml │ ├── meta │ │ └── main.yml │ ├── tasks │ │ ├── 100-create.yml │ │ ├── 110-create-dhcp.yml │ │ ├── 120-create-dns.yml │ │ ├── 130-create-vm.yml │ │ ├── 200-destroy.yml │ │ ├── 210-destroy-vm.yml │ │ ├── 220-destroy-dns.yml │ │ └── 230-destroy-dhcp.yml │ ├── tests │ │ ├── inventory │ │ └── test.yml │ └── vars │ │ └── main.yml └── ushift_rpm_on_kubevirt │ ├── README.md │ ├── defaults │ └── main.yml │ ├── handlers │ └── main.yml │ ├── meta │ └── main.yml │ ├── tasks │ ├── 100-create.yml │ ├── 110-create-dhcp.yml │ ├── 120-create-dns.yml │ ├── 130-create-vm.yml │ ├── 150-ushift-preinstall-rpm.yml │ ├── 160-ushift-install-rpm.yml │ ├── 170-ushift-postinstall-rpm.yml │ ├── 200-destroy.yml │ ├── 210-destroy-vm.yml │ ├── 220-destroy-dns.yml │ └── 230-destroy-dhcp.yml │ ├── templates │ ├── microshift-app-hello.yaml │ ├── microshift-bash-history-suggestions.j2 │ ├── microshift-candidate.repo │ ├── microshift-config.yaml.j2 │ ├── microshift-gitops-demo.yaml │ ├── microshift-lvmd.yaml.j2 │ ├── microshift-olm-demo.yaml │ ├── microshift-registries-proxy.conf │ ├── microshift-sample-app.yaml │ ├── microshift-sample-volumeSnapshot.yaml │ ├── microshift-volumeSnapShotClass.yaml │ └── tmp.yaml │ ├── tests │ ├── inventory │ └── test.yml │ └── vars │ └── main.yml ├── scrible ├── daniel_scrible.txt ├── datavolume.yaml ├── download-kubeconfigs-from-vault.yaml ├── inventory.yaml ├── vm-clone-uefi.yaml ├── vm-clone.yaml └── vmc.yaml └── stormshift-cluster-mgmt.yaml /.gitignore: -------------------------------------------------------------------------------- 1 | cfg/secrets.yml 2 | clouds.yml 3 | assisted-installer/vault-password-file 4 | development-example.env-private 5 | development-example.vars-private 6 | .vault_pass 7 | ansible-navigator.log 8 | scrible/kubeadmin-* 9 | scrible/kubeconfig-* 10 | .dockerconfigjson -------------------------------------------------------------------------------- /200-ushift-create.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # This playbook deploys an ushift rpm VM on OCPVirt 3 | # It uses a well prepared template VM as base. 4 | # See the inventory/group_vars/cluster_ushiftXXX.yaml for the config 5 | # Example to run manually: 6 | # ansible-playbook -e ushift_env=ushift10 200-ushift-rpm-create.yaml 7 | - hosts: "cluster_{{ ushift_env }}" 8 | gather_facts: false 9 | tasks: 10 | - name: Debug information 11 | ansible.builtin.debug: 12 | msg: 13 | - "Run aggainst {{inventory_hostname}}, vars:" 14 | - " - ushift_virt_namespace: {{ ushift_virt_namespace}}" 15 | - " - network_ip_address: {{ network_ip_address}}" 16 | - " - inventory_hostname: {{inventory_hostname}}" 17 | - " - ushift_additional_features: {{ ushift_additional_features }}" 18 | verbosity: 1 19 | 20 | - name: Create MicroShift RPM 21 | when: ushift_install_type == "rpm" 22 | import_role: 23 | name: ushift_rpm_on_kubevirt 24 | tasks_from: 100-create.yml 25 | 26 | - name: Create MicroShift ostree 27 | when: ushift_install_type == "ostree" 28 | import_role: 29 | name: ushift_ostree_on_kubevirt 30 | tasks_from: 100-create.yml 31 | 32 | - name: Add to ACM Hub cluster 33 | when: "'manage_with_acm' in ushift_additional_features" 34 | tags: acm,post 35 | import_role: 36 | name: feature-manage-with-acm 37 | tasks_from: post-deploy.yaml 38 | vars: 39 | acm_hub_clustername: "stormshift-{{inventory_hostname}}" 40 | acm_hub_clusterset: "stormshift" 41 | acm_spoke_kubeconfig: "{{ ushift_kubeconfig }}" 42 | acm_spoke_api_endpoint: "https://{{ inventory_hostname }}.{{ sysctx_dns_domain}}:6443" 43 | -------------------------------------------------------------------------------- /210-ushift-destroy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # This playbook destroys an ushift rpm VM on OCPVirt 3 | # Example to run manually: 4 | # ansible-playbook -e ushift_env=ushift10 210-ushift-rpm-destroy.yaml 5 | 6 | - hosts: "cluster_{{ ushift_env }}" 7 | gather_facts: false 8 | tasks: 9 | - name: Remove from ACM Hub cluster 10 | when: "'manage_with_acm' in ushift_additional_features" 11 | tags: acm 12 | import_role: 13 | name: feature-manage-with-acm 14 | tasks_from: pre-destroy.yaml 15 | vars: 16 | acm_hub_clustername: "stormshift-{{inventory_hostname}}" 17 | acm_hub_clusterset: "stormshift" 18 | acm_spoke_kubeconfig: "{{ ushift_kubeconfig }}" 19 | acm_spoke_api_endpoint: "https://{{ inventory_hostname }}.{{ sysctx_dns_domain}}:6443" 20 | 21 | - name: Unregister subscription 22 | ignore_errors: true 23 | ignore_unreachable: true 24 | tags: sub,slow 25 | when: rhsm_user is defined and ushift_install_type == "rpm" 26 | community.general.redhat_subscription: 27 | state: absent 28 | username: "{{ rhsm_user }}" 29 | password: "{{ rhsm_pswd }}" 30 | 31 | - name: Destroy MicroShift RPM 32 | tags: dhcp,dns,vm 33 | when: ushift_install_type == "rpm" 34 | import_role: 35 | name: ushift_rpm_on_kubevirt 36 | tasks_from: 200-destroy.yml 37 | 38 | - name: Destroy MicroShift ostree 39 | tags: dhcp,dns,vm 40 | when: ushift_install_type == "ostree" 41 | import_role: 42 | name: ushift_ostree_on_kubevirt 43 | tasks_from: 200-destroy.yml 44 | -------------------------------------------------------------------------------- /220-ushift-ostree-update.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # This playbook upgrade ostree VMs 3 | # 4 | - hosts: "cluster_{{ ushift_env }}" 5 | gather_facts: false 6 | tasks: 7 | - name: Update MicroShift ostree 8 | when: ushift_install_type == "ostree" 9 | ansible.posix.rpm_ostree_upgrade: 10 | -------------------------------------------------------------------------------- /230-ushift-app-deployment.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # This playbook deployes applications to ushift 3 | # 4 | - hosts: "cluster_{{ ushift_env }}" 5 | gather_facts: false 6 | tasks: 7 | - name: Firewall open API port for external access 8 | tags: prep, firewall 9 | firewalld: 10 | immediate: yes 11 | permanent: yes 12 | port: 6443/tcp 13 | state: enabled 14 | 15 | - name: Copy kubeconfig to root user on VM 16 | tags: post, kubecfg 17 | copy: 18 | src: /var/lib/microshift/resources/kubeadmin/{{inventory_hostname}}.{{ sysctx_dns_domain }}/kubeconfig 19 | remote_src: true 20 | dest: /root/.kube/config 21 | mode: 600 22 | 23 | - name: Slurp kubeconfig 24 | tags: post, kubecfg, acm 25 | ansible.builtin.slurp: 26 | src: "/root/.kube/config" 27 | register: slurp_kubeconfig 28 | 29 | - name: Set kubeconfig 30 | tags: post, kubecfg, acm 31 | set_fact: 32 | ushift_kubeconfig: "{{ slurp_kubeconfig['content'] | b64decode }}" 33 | 34 | - name: Create temporary local kubeconfig file 35 | tags: post, kubecfg 36 | changed_when: false 37 | local_action: 38 | module: ansible.builtin.tempfile 39 | state: file 40 | suffix: temp 41 | register: temp_kubeconfig 42 | 43 | - name: Fetch kubeconfig from remote 44 | tags: post, kubecfg 45 | changed_when: false 46 | fetch: 47 | src: /root/.kube/config 48 | dest: "{{temp_kubeconfig.path}}" 49 | flat: true 50 | 51 | - name: Deploy sample workload 52 | local_action: 53 | module: kubernetes.core.k8s 54 | kubeconfig: "{{temp_kubeconfig.path}}" 55 | validate_certs: false 56 | state: present 57 | apply: true 58 | wait: false 59 | definition: "{{ lookup('template', 'roles/ushift_rpm_on_kubevirt/templates/microshift-app-hello.yaml') }}" 60 | 61 | - name: Remove temporary local kubeconfig file 62 | when: temp_kubeconfig.path is defined 63 | changed_when: false 64 | local_action: 65 | module: ansible.builtin.file 66 | path: "{{ temp_kubeconfig.path }}" 67 | state: absent 68 | -------------------------------------------------------------------------------- /300-update-template-vms.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # This playbook updates a template vm 3 | # Example to run manually: 4 | # ansible-playbook -e@../stormshift-dev.vars 300-update-templates.yaml 5 | - hosts: "template_vms" 6 | gather_facts: false 7 | tasks: 8 | - name: Start VM 9 | changed_when: false # starting the VM does not really change its state on disk, at least not in the update OS context 10 | local_action: 11 | module: kubevirt.core.kubevirt_vm 12 | api_key: "{{ hostvars['isar']['k8s_auth_api_key'] }}" 13 | host: "{{ hostvars['isar']['k8s_auth_host'] }}" 14 | validate_certs: "{{ hostvars['isar']['k8s_auth_verify_ssl'] }}" 15 | state: present 16 | running: true 17 | wait: true 18 | name: "{{ vm_cr_name }}" 19 | namespace: "{{ stormshift_template_vms_namespace }}" 20 | 21 | - name: Wait for VM to be online 22 | local_action: 23 | module: ansible.builtin.wait_for 24 | host: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}" 25 | port: 22 26 | state: started 27 | 28 | - name: Register and Subscribe 29 | tags: prep,sub,slow 30 | # redhat_subscription sometimes fails with "already registered, despite force" 31 | # Hence we brute force it here: 32 | command: subscription-manager register --username {{ rhsm_user }} --password {{ rhsm_pswd }} --force --auto-attach --release {{ rhel_version}} 33 | 34 | - name: Enable EUS Repos 35 | tags: upd, slow 36 | rhsm_repository: 37 | state: enabled 38 | name: 39 | - rhel-9-for-x86_64-appstream-eus-rpms 40 | - rhel-9-for-x86_64-baseos-eus-rpms 41 | 42 | 43 | - name: Update baseos 44 | tags: upd, slow 45 | yum: 46 | name: '*' 47 | state: latest 48 | register: osupdate 49 | 50 | - name: Stop VM 51 | changed_when: false 52 | local_action: 53 | module: kubevirt.core.kubevirt_vm 54 | api_key: "{{ hostvars['isar']['k8s_auth_api_key'] }}" 55 | host: "{{ hostvars['isar']['k8s_auth_host'] }}" 56 | validate_certs: "{{ hostvars['isar']['k8s_auth_verify_ssl'] }}" 57 | state: present 58 | running: false 59 | wait: true 60 | name: "{{ vm_cr_name }}" 61 | namespace: "{{ stormshift_template_vms_namespace }}" 62 | -------------------------------------------------------------------------------- /ansible-navigator.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ansible-navigator: 3 | execution-environment: 4 | environment-variables: 5 | pass: 6 | - K8S_AUTH_KUBECONFIG 7 | - IPA_HOST 8 | - IPA_PASS 9 | - IPA_USER 10 | - SSH_PRIVATE_KEY 11 | - SSH_PUBLIC_KEY 12 | - TOWER_USERNAME 13 | - TOWER_HOST 14 | - TOWER_PASSWORD 15 | - TOWER_VERIFY_SSL 16 | - KUBECONFIG 17 | - RHCA_USER 18 | - RHCA_PASS 19 | - RH_VAULT_CA_CERT_FILENAME 20 | - RH_VAULT_URL 21 | - RH_VAULT_ROLE_ID 22 | - RH_VAULT_SECRET_ID 23 | - CONTROLLER_HOST 24 | - CONTROLLER_PASSWORD 25 | - CONTROLLER_USERNAME 26 | - CONTROLLER_VERIFY_SSL 27 | image: quay.coe.muc.redhat.com/stormshift/automation-execution-environment:202502261102 28 | pull: 29 | arguments: 30 | - "--tls-verify=false" 31 | logging: 32 | level: debug 33 | mode: stdout 34 | playbook-artifact: 35 | enable: true 36 | save-as: /tmp/stormshift-automation-{playbook_name}-artifact-{time_stamp}.json 37 | -------------------------------------------------------------------------------- /ansible.cfg: -------------------------------------------------------------------------------- 1 | # config file for ansible -- http://ansible.com/ 2 | # ============================================== 3 | 4 | # This config file provides examples for running 5 | # the OpenShift playbooks with the provided 6 | # inventory scripts. 7 | 8 | [defaults] 9 | # Important to k8s templating and integer fields 10 | jinja2_native = true 11 | 12 | # Set the log_path 13 | log_path = ~/ansible.log 14 | 15 | inventory = inventory/ 16 | # Output with time statistics 17 | callbacks_enabled = profile_tasks 18 | 19 | # Additional default options for OpenShift Ansible 20 | forks = 20 21 | host_key_checking = False 22 | retry_files_enabled = False 23 | retry_files_save_path = ~/ansible-installer-retries 24 | nocows = True 25 | remote_user = root 26 | roles_path = ~/.ansible/roles:/usr/share/ansible/roles:/etc/ansible/roles:ansible/roles/:ansible/add-on-roles/ 27 | 28 | gathering = smart 29 | # fact_caching = jsonfile 30 | # fact_caching_connection = $HOME/ansible/facts 31 | # fact_caching_timeout = 600 32 | inventory_ignore_extensions = secrets.py, .pyc, .cfg, .crt, .ini 33 | # work around privilege escalation timeouts in ansible: 34 | timeout = 30 35 | 36 | # Additional ssh options for OpenShift Ansible 37 | [ssh_connection] 38 | pipelining = True 39 | ssh_args = -o ControlMaster=auto -o ControlPersist=600s 40 | timeout = 10 41 | # shorten the ControlPath which is often too long; when it is, 42 | # ssh connection reuse silently fails, making everything slower. 43 | control_path = %(directory)s/%%h-%%r 44 | -------------------------------------------------------------------------------- /development-example.env: -------------------------------------------------------------------------------- 1 | export IPA_HOST= 2 | export IPA_PASS= 3 | export IPA_USER= 4 | export SSH_PUBLIC_KEY= 5 | export K8S_AUTH_API_KEY="" 6 | export K8S_AUTH_HOST="https://api.isar.coe.muc.redhat.com:6443"; 7 | #export K8S_AUTH_SSL_CA_CERT="/var/home/rbohne/Downloads/kube-apiserver-lb-signer"; 8 | export K8S_AUTH_VERIFY_SSL="False"; 9 | export RHCA_USER="" 10 | export RHCA_PASS="" 11 | export RH_VAULT_CA_CERT_FILENAME 12 | export RH_VAULT_URL 13 | export RH_VAULT_ROLE_ID 14 | export RH_VAULT_SECRET_ID 15 | export CONTROLLER_HOST 16 | export CONTROLLER_PASSWORD 17 | export CONTROLLER_USERNAME 18 | export CONTROLLER_VERIFY_SSL -------------------------------------------------------------------------------- /development-example.vars: -------------------------------------------------------------------------------- 1 | cluster_name: ocp11 2 | image_pull_secret: >- 3 | {"auths":{"clou... 4 | tower_user_email: dummy@local.dev 5 | tower_user_name: Dummy 6 | -------------------------------------------------------------------------------- /dump-inventory.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: dump-inventory 3 | hosts: all 4 | connection: local 5 | gather_facts: false 6 | tasks: 7 | - name: Collect vars 8 | ansible.builtin.set_fact: 9 | value_of_vars_to_dump: "{{ value_of_vars_to_dump|default({}) | combine( {item: lookup('vars', item, default='')} ) }}" 10 | with_items: 11 | - inventory_hostname 12 | - inventory_hostname_short 13 | - stormshift_cluster_name 14 | - stormshift_global_variable_example 15 | - network_ip_address 16 | ignore_errors: true 17 | 18 | - name: Dump vars 19 | ansible.builtin.debug: 20 | var: value_of_vars_to_dump 21 | 22 | # # - name: Dump ansible vars 23 | # # debug: var=vars 24 | # # - name: Dump env variables 25 | # # debug: var=ansible_env 26 | -------------------------------------------------------------------------------- /execution-environment-fedora-based.yml: -------------------------------------------------------------------------------- 1 | --- 2 | version: 3 3 | 4 | images: 5 | base_image: 6 | name: quay.io/fedora/fedora:latest 7 | 8 | additional_build_steps: 9 | append_final: 10 | - RUN curl https://certs.corp.redhat.com/certs/Current-IT-Root-CAs.pem 11 | -o /etc/pki/ca-trust/source/anchors/RedHat_Current-IT-Root-CAs.pem && 12 | update-ca-trust 13 | 14 | dependencies: 15 | ansible_core: 16 | package_pip: ansible-core 17 | ansible_runner: 18 | package_pip: ansible-runner 19 | system: 20 | - openssh-clients 21 | - sshpass 22 | - git 23 | python: 24 | # Import for community.general.json_query 25 | - jmespath 26 | galaxy: 27 | collections: 28 | - name: community.general 29 | - name: community.kubernetes 30 | - name: kubernetes.core 31 | - name: ansible.posix 32 | - name: community.crypto 33 | - name: kubevirt.core 34 | 35 | - name: community.libvirt 36 | src: git+https://github.com/ansible-collections/community.libvirt 37 | 38 | - name: community.vmware 39 | - name: awx.awx 40 | - name: netapp.ontap -------------------------------------------------------------------------------- /execution-environment.yml: -------------------------------------------------------------------------------- 1 | --- 2 | version: 3 3 | 4 | options: 5 | package_manager_path: /usr/bin/microdnf 6 | 7 | images: 8 | base_image: 9 | name: 'registry.redhat.io/ansible-automation-platform-24/ee-supported-rhel9:1.0' 10 | 11 | additional_build_steps: 12 | prepend_builder: 13 | - ENV PKGMGR_OPTS="--nodocs --setopt=install_weak_deps=0 --setopt=rhocp-4.17-for-rhel-9-x86_64-rpms.enabled=true" 14 | prepend_final: 15 | - ENV PKGMGR_OPTS="--nodocs --setopt=install_weak_deps=0 --setopt=rhocp-4.17-for-rhel-9-x86_64-rpms.enabled=true" 16 | append_final: 17 | - RUN curl https://certs.corp.redhat.com/certs/Current-IT-Root-CAs.pem 18 | -o /etc/pki/ca-trust/source/anchors/RedHat_Current-IT-Root-CAs.pem && 19 | update-ca-trust 20 | 21 | dependencies: 22 | system: 23 | - nmstate 24 | galaxy: 25 | collections: 26 | # ToDo: add version numbers! 27 | - name: community.general 28 | - name: community.kubernetes 29 | - name: redhat.openshift 30 | - name: kubernetes.core 31 | - name: ansible.posix 32 | - name: community.crypto 33 | - name: kubevirt.core 34 | 35 | - name: community.libvirt 36 | src: git+https://github.com/ansible-collections/community.libvirt 37 | - name: community.vmware 38 | - name: awx.awx 39 | - name: community.hashi_vault 40 | - name: netapp.ontap -------------------------------------------------------------------------------- /inventory/group_vars/all.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Variables shared by all ennvironment: 3 | # --------------------------- 4 | 5 | 6 | # Systemcontext stuff, i.e. external components / facts: 7 | sysctx_dns_domain: "stormshift.coe.muc.redhat.com" 8 | sysctx_dns_domain_reverse: "32.10.in-addr.arpa" 9 | 10 | sysctx_network_dhcp: "inf1.coe.muc.redhat.com" 11 | sysctx_network_dns: "inf1.coe.muc.redhat.com" 12 | sysctx_network_gateway: "10.32.111.254" 13 | sysctx_network: "10.32.96.0" 14 | sysctx_network_cidr: "20" 15 | 16 | # Base layer cluster: 17 | # Access token via credentials / env variable set: 18 | K8S_AUTH_HOST: "https://api.isar.coe.muc.redhat.com:6443" 19 | K8S_AUTH_VERIFY_SSL: false 20 | # DNS server host endpoint (IPA) 21 | # (username+pswd via credentials) 22 | IPA_HOST: "{{sysctx_network_dns}}" 23 | 24 | 25 | # --------------------------- 26 | # Template VMs related common vars: 27 | stormshift_template_vms_namespace: stormshift-vm-templates 28 | 29 | 30 | # --------------------------- 31 | # Microshift related common vars: 32 | ushift_virt_namespace: stormshift-microshift 33 | ushift_repo_ec: "https://mirror.openshift.com/pub/openshift-v4/x86_64/microshift/ocp-dev-preview" 34 | ushift_repo_rc: "https://mirror.openshift.com/pub/openshift-v4/x86_64/microshift/ocp" 35 | ushift_vm_storageclass: "coe-netapp-san" 36 | # possible additional features: cockpit, manage_with_acm 37 | ushift_additional_features: {} 38 | ushift_use_local_quay_proxy: false 39 | 40 | # echo -n SECRET | ansible-vault encrypt_string --vault-password-file .vault_pass 41 | sso_admin_pw: !vault | 42 | $ANSIBLE_VAULT;1.1;AES256 43 | 31316136623133643537363631303331396332663964616439363236393835653637633166393931 44 | 3336333761326165396436366638653633323832346464310a366436303762366432383165326239 45 | 61613464386132393937353435326462643633623361353362396239363033323136643363333537 46 | 3363613032633664370a326635383463623931353133653665653039643762613434643465633466 47 | 3232 48 | -------------------------------------------------------------------------------- /inventory/group_vars/cluster_ushift01.yaml: -------------------------------------------------------------------------------- 1 | stormshift_owner_email: "" 2 | stormshift_owner_purpose: "" 3 | ushift_version: 4.18 4 | ushift_preview_version: latest-4.19 5 | ushift_preview_version_dep_ec: 4.19-el9-beta 6 | ushift_preview_version_dep_rc: 4.19-el9-beta 7 | # repo, one of: EC/RC/standard 8 | ushift_repo: standard 9 | ushift_actually_install: true 10 | ushift_deploy_sample_workload: false 11 | vm_cores: 2 12 | vm_memory: "4Gi" 13 | vm_template: "rhel94" 14 | network_ip_address: 10.32.99.1 15 | network_mac_address: 0E:C0:EF:20:63:01 16 | ushift_repo_list: 17 | - rhocp-4.18-for-rhel-9-x86_64-rpms 18 | - fast-datapath-for-rhel-9-x86_64-rpms 19 | # install_type - one of: rpm, ostree, imageMode 20 | ushift_install_type: rpm 21 | -------------------------------------------------------------------------------- /inventory/group_vars/cluster_ushift02.yaml: -------------------------------------------------------------------------------- 1 | stormshift_owner_email: "" 2 | stormshift_owner_purpose: "" 3 | ushift_version: 4.18 4 | ushift_preview_version: latest-4.19 5 | ushift_preview_version_dep_ec: 4.19-el9-beta 6 | ushift_preview_version_dep_rc: 4.19-el9-beta 7 | # repo, one of: EC/RC/standard 8 | ushift_repo: standard 9 | ushift_actually_install: true 10 | ushift_deploy_sample_workload: false 11 | vm_cores: 2 12 | vm_memory: "4Gi" 13 | vm_template: "rhel94" 14 | network_ip_address: 10.32.99.2 15 | network_mac_address: 0E:C0:EF:20:63:02 16 | ushift_repo_list: 17 | - rhocp-4.18-for-rhel-9-x86_64-rpms 18 | - fast-datapath-for-rhel-9-x86_64-rpms 19 | # install_type - one of: rpm, ostree, imageMode 20 | ushift_install_type: rpm 21 | -------------------------------------------------------------------------------- /inventory/group_vars/cluster_ushift03.yaml: -------------------------------------------------------------------------------- 1 | stormshift_owner_email: "" 2 | stormshift_owner_purpose: "" 3 | ushift_version: 4.17 4 | ushift_preview_version: latest-4.18 5 | ushift_preview_version_dep_ec: 4.19-el9-beta 6 | ushift_preview_version_dep_rc: 4.18-el9-beta 7 | # repo, one of: EC/RC/standard 8 | ushift_repo: standard 9 | ushift_actually_install: true 10 | ushift_deploy_sample_workload: false 11 | vm_cores: 2 12 | vm_memory: "2Gi" 13 | vm_template: "rhel94" 14 | network_ip_address: 10.32.99.3 15 | network_mac_address: 0E:C0:EF:20:63:03 16 | ushift_repo_list: 17 | - rhocp-4.17-for-rhel-9-x86_64-rpms 18 | - fast-datapath-for-rhel-9-x86_64-rpms 19 | # install_type - one of: rpm, ostree, imageMode 20 | ushift_install_type: rpm 21 | -------------------------------------------------------------------------------- /inventory/group_vars/cluster_ushift04.yaml: -------------------------------------------------------------------------------- 1 | stormshift_owner_email: "" 2 | stormshift_owner_purpose: "" 3 | ushift_version: 4.17 4 | ushift_preview_version: latest-4.18 5 | ushift_preview_version_dep_ec: 4.19-el9-beta 6 | ushift_preview_version_dep_rc: 4.18-el9-beta 7 | # repo, one of: EC/RC/standard 8 | ushift_repo: standard 9 | ushift_actually_install: true 10 | ushift_deploy_sample_workload: false 11 | vm_cores: 2 12 | vm_memory: "2Gi" 13 | vm_template: "rhel94" 14 | network_ip_address: 10.32.99.4 15 | network_mac_address: 0E:C0:EF:20:63:04 16 | ushift_repo_list: 17 | - rhocp-4.17-for-rhel-9-x86_64-rpms 18 | - fast-datapath-for-rhel-9-x86_64-rpms 19 | # install_type - one of: rpm, ostree, imageMode 20 | ushift_install_type: rpm 21 | -------------------------------------------------------------------------------- /inventory/group_vars/cluster_ushift05.yaml: -------------------------------------------------------------------------------- 1 | stormshift_owner_email: "arolivei@redhat.com" 2 | stormshift_owner_purpose: "TAM playground" 3 | ushift_version: 4.18 4 | ushift_preview_version: latest-4.19 5 | ushift_preview_version_dep_ec: 4.19-el9-beta 6 | ushift_preview_version_dep_rc: 4.19-el9-beta 7 | # repo, one of: EC/RC/standard 8 | ushift_repo: standard 9 | ushift_actually_install: true 10 | ushift_deploy_sample_workload: false 11 | vm_cores: 4 12 | vm_memory: "8Gi" 13 | vm_template: "rhel94" 14 | network_ip_address: 10.32.99.5 15 | network_mac_address: 0E:C0:EF:20:63:05 16 | ushift_repo_list: 17 | - rhocp-4.18-for-rhel-9-x86_64-rpms 18 | - fast-datapath-for-rhel-9-x86_64-rpms 19 | - gitops-1.12-for-rhel-9-x86_64-rpms 20 | # install_type - one of: rpm, ostree, imageMode 21 | ushift_install_type: rpm 22 | -------------------------------------------------------------------------------- /inventory/group_vars/cluster_ushift06.yaml: -------------------------------------------------------------------------------- 1 | stormshift_owner_email: "arolivei@redhat.com" 2 | stormshift_owner_purpose: "TAM playground" 3 | ushift_version: 4.18 4 | ushift_preview_version: latest-4.19 5 | ushift_preview_version_dep_ec: 4.19-el9-beta 6 | ushift_preview_version_dep_rc: 4.19-el9-beta 7 | # repo, one of: EC/RC/standard 8 | ushift_repo: standard 9 | ushift_actually_install: true 10 | ushift_deploy_sample_workload: false 11 | vm_cores: 4 12 | vm_memory: "8Gi" 13 | vm_template: "rhel94" 14 | network_ip_address: 10.32.99.6 15 | network_mac_address: 0E:C0:EF:20:63:06 16 | ushift_repo_list: 17 | - rhocp-4.18-for-rhel-9-x86_64-rpms 18 | - fast-datapath-for-rhel-9-x86_64-rpms 19 | - gitops-1.12-for-rhel-9-x86_64-rpms 20 | # install_type - one of: rpm, ostree, imageMode 21 | ushift_install_type: rpm 22 | -------------------------------------------------------------------------------- /inventory/group_vars/cluster_ushift07.yaml: -------------------------------------------------------------------------------- 1 | stormshift_owner_email: "dfroehli@redhat.com" 2 | stormshift_owner_purpose: "Playground" 3 | ushift_version: 4.18 4 | ushift_preview_version: latest-4.18 5 | ushift_preview_version_dep_ec: 4.19-el9-beta 6 | ushift_preview_version_dep_rc: 4.19-el9-beta 7 | # repo, one of: EC/RC/standard 8 | ushift_repo: standard 9 | ushift_actually_install: true 10 | ushift_deploy_sample_workload: true 11 | ushift_use_local_quay_proxy: false 12 | vm_cores: 4 13 | vm_memory: "8Gi" 14 | vm_template: "rhel94" 15 | network_ip_address: 10.32.99.7 16 | network_mac_address: 0E:C0:EF:20:63:07 17 | ushift_repo_list: 18 | - rhel-9-for-x86_64-appstream-eus-rpms 19 | - rhel-9-for-x86_64-baseos-eus-rpms 20 | - rhocp-4.18-for-rhel-9-x86_64-rpms 21 | - fast-datapath-for-rhel-9-x86_64-rpms 22 | - gitops-1.12-for-rhel-9-x86_64-rpms 23 | # install_type - one of: rpm, ostree, imageMode 24 | ushift_install_type: rpm 25 | -------------------------------------------------------------------------------- /inventory/group_vars/cluster_ushift08.yaml: -------------------------------------------------------------------------------- 1 | stormshift_owner_email: "dfroehli@redhat.com" 2 | stormshift_owner_purpose: "Playground" 3 | ushift_version: 4.17 4 | ushift_preview_version: latest-4.17 5 | ushift_preview_version_dep_ec: 4.18-el9-beta 6 | ushift_preview_version_dep_rc: 4.18-el9-beta 7 | # repo, one of: EC/RC/standard 8 | ushift_repo: standard 9 | ushift_actually_install: false 10 | ushift_deploy_sample_workload: true 11 | ushift_use_local_quay_proxy: false 12 | vm_cores: 4 13 | vm_memory: "8Gi" 14 | vm_template: "rhel94" 15 | network_ip_address: 10.32.99.8 16 | network_mac_address: 0E:C0:EF:20:63:08 17 | ushift_repo_list: 18 | - rhocp-4.17-for-rhel-9-x86_64-rpms 19 | - fast-datapath-for-rhel-9-x86_64-rpms 20 | # - gitops-1.12-for-rhel-9-x86_64-rpms 21 | # install_type - one of: rpm, ostree, imageMode 22 | ushift_install_type: rpm 23 | -------------------------------------------------------------------------------- /inventory/group_vars/cluster_ushift09.yaml: -------------------------------------------------------------------------------- 1 | stormshift_owner_email: "dfroehli@redhat.com" 2 | stormshift_owner_purpose: "Playground" 3 | ushift_version: 4.16 4 | ushift_preview_version: latest-4.16 5 | ushift_preview_version_dep_ec: 4.16-el9-beta 6 | ushift_preview_version_dep_rc: 4.16-el9-beta 7 | # repo, one of: EC/RC/standard 8 | ushift_repo: standard 9 | ushift_actually_install: false 10 | ushift_deploy_sample_workload: false 11 | ushift_use_local_quay_proxy: false 12 | vm_cores: 4 13 | vm_memory: "8Gi" 14 | vm_template: "rhel94" 15 | network_ip_address: 10.32.99.9 16 | network_mac_address: 0E:C0:EF:20:63:09 17 | ushift_repo_list: 18 | # - rhocp-4.15-for-rhel-9-x86_64-rpms 19 | - fast-datapath-for-rhel-9-x86_64-rpms 20 | # - gitops-1.12-for-rhel-9-x86_64-rpms 21 | # install_type - one of: rpm, ostree, imageMode 22 | ushift_install_type: rpm 23 | -------------------------------------------------------------------------------- /inventory/group_vars/cluster_ushift10_eus.yaml: -------------------------------------------------------------------------------- 1 | stormshift_owner_email: "dfroehli@redhat.com" 2 | stormshift_owner_purpose: "Current EUS version" 3 | ushift_version: 4.14 4 | ushift_preview_version: latest-4.15 5 | ushift_preview_version_dep_ec: 4.14-el9-beta 6 | ushift_preview_version_dep_rc: 4.15-el9-beta 7 | # repo, one of: EC/RC/standard 8 | ushift_repo: standard 9 | ushift_actually_install: true 10 | ushift_deploy_sample_workload: true 11 | vm_cores: 3 12 | vm_memory: "8Gi" 13 | vm_template: "rhel92" 14 | network_ip_address: 10.32.99.10 15 | network_mac_address: 0E:C0:EF:20:63:0A 16 | ushift_repo_list: 17 | - rhocp-4.14-for-rhel-9-x86_64-rpms 18 | - fast-datapath-for-rhel-9-x86_64-rpms 19 | - gitops-1.12-for-rhel-9-x86_64-rpms 20 | # install_type - one of: rpm, ostree, imageMode 21 | ushift_install_type: rpm 22 | ushift_additional_features: 23 | - manage_with_acm 24 | -------------------------------------------------------------------------------- /inventory/group_vars/cluster_ushift11_ga.yaml: -------------------------------------------------------------------------------- 1 | stormshift_owner_email: "dfroehli@redhat.com" 2 | stormshift_owner_purpose: "Current GA Version" 3 | ushift_version: 4.16 4 | ushift_preview_version: latest-4.17 5 | ushift_preview_version_dep_ec: 4.17-el9-beta 6 | ushift_preview_version_dep_rc: 4.17-el9-beta 7 | # repo, one of: EC/RC/standard 8 | ushift_repo: standard 9 | ushift_actually_install: true 10 | ushift_deploy_sample_workload: true 11 | vm_cores: 2 12 | vm_memory: "2Gi" 13 | vm_template: "rhel94" 14 | network_ip_address: 10.32.99.11 15 | network_mac_address: 0E:C0:EF:20:63:0B 16 | ushift_repo_list: 17 | - rhocp-4.16-for-rhel-9-x86_64-rpms 18 | - fast-datapath-for-rhel-9-x86_64-rpms 19 | - gitops-1.12-for-rhel-9-x86_64-rpms 20 | # install_type - one of: rpm, ostree, imageMode 21 | ushift_install_type: rpm 22 | -------------------------------------------------------------------------------- /inventory/group_vars/cluster_ushift12_rc.yaml: -------------------------------------------------------------------------------- 1 | stormshift_owner_email: "dfroehli@redhat.com" 2 | stormshift_owner_purpose: "Latest RC Build" 3 | ushift_version: 4.19 4 | ushift_preview_version: latest-4.19 5 | ushift_preview_version_dep_ec: 4.19-el9-beta 6 | ushift_preview_version_dep_rc: 4.19-el9-beta 7 | # repo, one of: EC/RC/standard 8 | ushift_repo: RC 9 | ushift_actually_install: true 10 | ushift_deploy_sample_workload: true 11 | vm_cores: 2 12 | vm_memory: "2Gi" 13 | vm_template: "rhel96" 14 | network_ip_address: 10.32.99.12 15 | network_mac_address: 0E:C0:EF:20:63:0C 16 | ushift_repo_list: 17 | # - rhocp-4.16-for-rhel-9-x86_64-rpms 18 | - fast-datapath-for-rhel-9-x86_64-rpms 19 | - gitops-1.12-for-rhel-9-x86_64-rpms 20 | # install_type - one of: rpm, ostree, imageMode 21 | ushift_install_type: rpm 22 | -------------------------------------------------------------------------------- /inventory/group_vars/cluster_ushift13_ec.yaml: -------------------------------------------------------------------------------- 1 | stormshift_owner_email: "dfroehli@redhat.com" 2 | stormshift_owner_purpose: "Latest EC Build" 3 | ushift_version: 4.19 4 | ushift_preview_version: latest-4.19 5 | ushift_preview_version_dep_ec: 4.19-el9-beta 6 | ushift_preview_version_dep_rc: 4.19-el9-beta 7 | # repo, one of: EC/RC/standard 8 | ushift_repo: EC 9 | ushift_actually_install: true 10 | ushift_deploy_sample_workload: true 11 | vm_cores: 2 12 | vm_memory: "4Gi" 13 | vm_template: "rhel94" 14 | network_ip_address: 10.32.99.13 15 | network_mac_address: 0E:C0:EF:20:63:0D 16 | ushift_repo_list: 17 | # - rhocp-4.16-for-rhel-9-x86_64-rpms 18 | # - fast-datapath-for-rhel-9-x86_64-rpms 19 | - gitops-1.12-for-rhel-9-x86_64-rpms 20 | # install_type - one of: rpm, ostree, imageMode 21 | ushift_install_type: rpm 22 | -------------------------------------------------------------------------------- /inventory/group_vars/cluster_ushift14.yaml: -------------------------------------------------------------------------------- 1 | stormshift_owner_email: "dfroehli@redhat.com" 2 | stormshift_owner_purpose: "playground" 3 | ushift_version: 4.14 4 | ushift_preview_version: latest-4.15 5 | ushift_preview_version_dep_ec: 4.14-el9-beta 6 | ushift_preview_version_dep_rc: 4.15-el9-beta 7 | # repo, one of: EC/RC/standard 8 | ushift_repo: standard 9 | ushift_actually_install: true 10 | ushift_deploy_sample_workload: true 11 | vm_cores: 3 12 | vm_memory: "8Gi" 13 | vm_template: "rhel92" 14 | network_ip_address: 10.32.99.14 15 | network_mac_address: 0E:C0:EF:20:63:0E 16 | ushift_repo_list: 17 | - rhocp-4.14-for-rhel-9-x86_64-rpms 18 | - fast-datapath-for-rhel-9-x86_64-rpms 19 | - gitops-1.12-for-rhel-9-x86_64-rpms 20 | # install_type - one of: rpm, ostree, imageMode 21 | ushift_install_type: rpm 22 | #ushift_additional_features: 23 | # - manage_with_acm 24 | -------------------------------------------------------------------------------- /inventory/group_vars/cluster_ushift15_ostree.yaml: -------------------------------------------------------------------------------- 1 | stormshift_owner_email: "dfroehli@redhat.com" 2 | stormshift_owner_purpose: "ostree" 3 | vm_cores: 2 4 | vm_memory: "8Gi" 5 | # install_type - one of: rpm, ostree, imageMode 6 | ushift_install_type: ostree 7 | # Old: RHEL92 / USHIFT V4.14 8 | #ushift_uefi_boot_file: "http://ushift-imgbld.stormshift.coe.muc.redhat.com/edge-network-install/EFI/BOOT/BOOTX64.EFI" 9 | ushift_uefi_boot_file: "http://ushift-imgbld.stormshift.coe.muc.redhat.com/ushift-bootc-install-iso/EFI/BOOT/BOOTX64.EFI" 10 | 11 | 12 | network_ip_address: 10.32.99.15 13 | network_mac_address: 0E:C0:EF:20:63:0F 14 | -------------------------------------------------------------------------------- /inventory/group_vars/cluster_ushift16_ostree.yaml: -------------------------------------------------------------------------------- 1 | #temp: 2 | ushift_virt_namespace: "rbohne-debug" 3 | 4 | stormshift_owner_email: "rbohne@redhat.com" 5 | stormshift_owner_purpose: "Network boot reproducer" 6 | vm_cores: 2 7 | vm_memory: "8Gi" 8 | # install_type - one of: rpm, ostree, imageMode 9 | ushift_install_type: ostree 10 | ushift_uefi_boot_file: "http://ushift-imgbld.stormshift.coe.muc.redhat.com/edge-network-install/EFI/BOOT/BOOTX64.EFI" 11 | 12 | network_ip_address: 10.32.99.16 13 | network_mac_address: 0E:C0:EF:20:63:10 14 | -------------------------------------------------------------------------------- /inventory/group_vars/cluster_ushift17_ostree.yaml: -------------------------------------------------------------------------------- 1 | #temp: 2 | ushift_virt_namespace: "rbohne-debug" 3 | 4 | stormshift_owner_email: "rbohne@redhat.com" 5 | stormshift_owner_purpose: "Network boot reproducer" 6 | vm_cores: 2 7 | vm_memory: "8Gi" 8 | # install_type - one of: rpm, ostree, imageMode 9 | ushift_install_type: ostree 10 | ushift_uefi_boot_file: "http://ushift-imgbld.stormshift.coe.muc.redhat.com/edge-network-install/EFI/BOOT/BOOTX64.EFI" 11 | 12 | network_ip_address: 10.32.99.17 13 | network_mac_address: 0E:C0:EF:20:63:11 14 | -------------------------------------------------------------------------------- /inventory/group_vars/cluster_ushift18_bootc.yaml: -------------------------------------------------------------------------------- 1 | stormshift_owner_email: "dfroehli@redhat.com" 2 | stormshift_owner_purpose: "bootc" 3 | vm_cores: 2 4 | vm_memory: "8Gi" 5 | 6 | # install_type - one of: rpm, ostree, imageMode 7 | ushift_install_type: ostree 8 | ushift_uefi_boot_file: "http://ushift-imgbld.stormshift.coe.muc.redhat.com/ushift-bootc-install-iso/EFI/BOOT/BOOTX64.EFI" 9 | 10 | network_ip_address: 10.32.99.18 11 | network_mac_address: 0E:C0:EF:20:63:11 12 | -------------------------------------------------------------------------------- /inventory/group_vars/cluster_ushift19_bootc.yaml: -------------------------------------------------------------------------------- 1 | stormshift_owner_email: "dfroehli@redhat.com" 2 | stormshift_owner_purpose: "bootc" 3 | vm_cores: 2 4 | vm_memory: "8Gi" 5 | 6 | # install_type - one of: rpm, ostree, imageMode 7 | ushift_install_type: ostree 8 | ushift_uefi_boot_file: "http://ushift-imgbld.stormshift.coe.muc.redhat.com/ushift-bootc-install-iso/EFI/BOOT/BOOTX64.EFI" 9 | 10 | network_ip_address: 10.32.99.19 11 | network_mac_address: 0E:C0:EF:20:63:12 12 | -------------------------------------------------------------------------------- /inventory/group_vars/cluster_ushift20.yaml: -------------------------------------------------------------------------------- 1 | stormshift_owner_email: "bweidenb@redhat.com" 2 | stormshift_owner_purpose: "ACM Demo Environment" 3 | ushift_version: 4.16 4 | ushift_preview_version: latest-4.17 5 | ushift_preview_version_dep_ec: 4.17-el9-beta 6 | ushift_preview_version_dep_rc: 4.17-el9-beta 7 | # repo, one of: EC/RC/standard 8 | ushift_repo: standard 9 | ushift_actually_install: true 10 | ushift_deploy_sample_workload: true 11 | vm_cores: 3 12 | vm_memory: "16Gi" 13 | vm_template: "rhel94" 14 | network_ip_address: 10.32.99.20 15 | network_mac_address: 0E:C0:EF:20:63:14 16 | ushift_repo_list: 17 | - rhocp-4.16-for-rhel-9-x86_64-rpms 18 | - fast-datapath-for-rhel-9-x86_64-rpms 19 | - gitops-1.12-for-rhel-9-x86_64-rpms 20 | # install_type - one of: rpm, ostree, imageMode 21 | ushift_install_type: rpm 22 | -------------------------------------------------------------------------------- /inventory/group_vars/cluster_ushift21.yaml: -------------------------------------------------------------------------------- 1 | stormshift_owner_email: "jgeorg@redhat.com" 2 | stormshift_owner_purpose: "MicroShift QE LongTerm Testing" 3 | ushift_version: 4.15 4 | ushift_preview_version: latest-4.16 5 | ushift_preview_version_dep_ec: 4.15-el9-beta 6 | ushift_preview_version_dep_rc: 4.16-el9-beta 7 | # repo, one of: EC/RC/standard 8 | ushift_repo: standard 9 | ushift_actually_install: true 10 | ushift_deploy_sample_workload: true 11 | vm_cores: 2 12 | vm_memory: "2Gi" 13 | vm_template: "rhel92" 14 | network_ip_address: 10.32.99.21 15 | network_mac_address: 0E:C0:EF:20:63:15 16 | ushift_repo_list: 17 | - rhocp-4.15-for-rhel-9-x86_64-rpms 18 | - fast-datapath-for-rhel-9-x86_64-rpms 19 | - gitops-1.12-for-rhel-9-x86_64-rpms 20 | # install_type - one of: rpm, ostree, imageMode 21 | ushift_install_type: rpm 22 | -------------------------------------------------------------------------------- /inventory/group_vars/cluster_ushift22.yaml: -------------------------------------------------------------------------------- 1 | stormshift_owner_email: "jmoelle@redhat.com" 2 | stormshift_owner_purpose: "MicroShift/LVM Engineering" 3 | ushift_version: 4.16 4 | ushift_preview_version: latest-4.16 5 | ushift_preview_version_dep_ec: 4.16-el9-beta 6 | ushift_preview_version_dep_rc: 4.16-el9-beta 7 | # repo, one of: EC/RC/standard 8 | ushift_repo: RC 9 | ushift_actually_install: true 10 | ushift_deploy_sample_workload: false 11 | vm_cores: 4 12 | vm_memory: "6Gi" 13 | vm_template: "rhel94" 14 | network_ip_address: 10.32.99.22 15 | network_mac_address: 0E:C0:EF:20:63:16 16 | ushift_repo_list: 17 | # - rhocp-4.15-for-rhel-9-x86_64-rpms 18 | - fast-datapath-for-rhel-9-x86_64-rpms 19 | # - gitops-1.12-for-rhel-9-x86_64-rpms 20 | # install_type - one of: rpm, ostree, imageMode 21 | ushift_install_type: rpm 22 | -------------------------------------------------------------------------------- /inventory/group_vars/cluster_ushift_imgbld2.yaml: -------------------------------------------------------------------------------- 1 | stormshift_owner_email: "dfroehli@redhat.com" 2 | stormshift_owner_purpose: "Used for bootc image building" 3 | ushift_version: 4.18 4 | ushift_preview_version: latest-4.18 5 | ushift_preview_version_dep_ec: 4.19-el9-beta 6 | ushift_preview_version_dep_rc: 4.18-el9-beta 7 | # repo, one of: EC/RC/standard 8 | ushift_repo: standard 9 | ushift_actually_install: false 10 | ushift_deploy_sample_workload: false 11 | ushift_use_local_quay_proxy: false 12 | vm_cores: 4 13 | vm_memory: "8Gi" 14 | vm_template: "rhel94" 15 | network_ip_address: 10.32.105.41 16 | network_mac_address: 0E:C0:EF:20:69:29 17 | ushift_repo_list: 18 | - rhel-9-for-x86_64-appstream-eus-rpms 19 | - rhel-9-for-x86_64-baseos-eus-rpms 20 | 21 | # - gitops-1.12-for-rhel-9-x86_64-rpms 22 | # install_type - one of: rpm, ostree, imageMode 23 | ushift_install_type: rpm 24 | -------------------------------------------------------------------------------- /inventory/group_vars/ove-hackathon-mad.yaml: -------------------------------------------------------------------------------- 1 | # START - CUSTOM NOT IN MASTER AVAILABLE 2 | custom_scm_branch: ove-hackathon-mad 3 | vm_net_attach_def: coe-bridge 4 | custom_job_name: "🇪🇸 " 5 | cluster_custom_namespace: ove-hackathon-mad-metro-dr 6 | # END - CUSTOM NOT IN MASTER AVAILABLE 7 | 8 | stormshift_owner_email: "rbohne@redhat.com" 9 | stormshift_owner_purpose: "OVE Hackathon Mad." 10 | stormshift_owner_usage: "dedicated" 11 | 12 | local_cluster_admins: 13 | - rbohne@redhat.com-admin 14 | - ddomingu@redhat.com-admin 15 | 16 | # Same color as for the labels: https://github.com/stormshift/support/labels 17 | cluster_color: "#a60505" 18 | cluster_color_fg: "#fefefe" 19 | openshift_version: 4.18.5 20 | 21 | stormshift_cluster_features: 22 | - redhat-internal-certificate 23 | - coe-sso 24 | - look-and-feel 25 | 26 | cluster_type: classic 27 | 28 | control_plan_cores: 24 29 | control_plan_ram_gb: 48 30 | 31 | cluster_base_domain: coe.muc.redhat.com 32 | 33 | -------------------------------------------------------------------------------- /inventory/group_vars/template_vms.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stormshift/automation/d262ecd5d68dae724f31c5dbfa7cb02fb202e5b1/inventory/group_vars/template_vms.yaml -------------------------------------------------------------------------------- /inventory/host_vars/disco.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # START - CUSTOM NOT IN MASTER AVAILABLE 3 | custom_scm_branch: disco 4 | custom_job_name: "🪩 Disco(nnected) Cluster" 5 | vm_net_attach_def: coe-bridge-69 6 | cluster_custom_namespace: demo-cluster-disco 7 | # END - CUSTOM NOT IN MASTER AVAILABLE 8 | 9 | cluster_base_domain: coe.muc.redhat.com 10 | network: 192.168.69.0 11 | network_ip_address_prefix_length: 24 12 | network_dns_servers: 13 | - 192.168.69.6 14 | network_default_gw: 192.168.69.245 15 | 16 | cluster_additionalTrustBundle: /etc/pki/ca-trust/source/anchors/RedHat_Current-IT-Root-CAs.pem 17 | cluster_imagesource: 18 | ImageDigestSources: 19 | - mirrors: 20 | - mirror-registry.disco.coe.muc.redhat.com:5000/disco/openshift/release 21 | source: quay.io/openshift-release-dev/ocp-v4.0-art-dev 22 | - mirrors: 23 | - mirror-registry.disco.coe.muc.redhat.com:5000/disco/openshift/release-images 24 | source: quay.io/openshift-release-dev/ocp-release 25 | 26 | image_pull_secret: | 27 | {"auths":{"mirror-registry.disco.coe.muc.redhat.com:5000":{"auth":"YWRtaW46MVJlZDJIYXQz"}}} 28 | 29 | stormshift_owner_email: "rbohne@redhat.com" 30 | stormshift_owner_purpose: "Disco nnected Cluster" 31 | stormshift_owner_usage: "dedicated" 32 | 33 | local_cluster_admins: 34 | - rguske@redhat.com-admin 35 | 36 | # Same color as for the labels: https://github.com/stormshift/support/labels 37 | cluster_color: "#0052cc" 38 | cluster_color_fg: "#fff" 39 | 40 | openshift_version: 4.17.16 41 | 42 | stormshift_cluster_features: 43 | - redhat-internal-certificate 44 | - coe-sso 45 | - look-and-feel 46 | 47 | cluster_type: classic 48 | cluster_api_vip: 192.168.69.251 49 | cluster_ingress_vip: 192.168.69.252 50 | 51 | control_plan_cores: 8 52 | control_plan_ram_gb: 16 53 | control_plans: 54 | - vm_network_ip_address: 192.168.69.241 55 | vm_network_mac_address: 0E:C0:EF:A8:45:F1 56 | - vm_network_ip_address: 192.168.69.242 57 | vm_network_mac_address: 0E:C0:EF:A8:45:F2 58 | - vm_network_ip_address: 192.168.69.243 59 | vm_network_mac_address: 0E:C0:EF:A8:45:F3 60 | 61 | worker_cores: 16 62 | worker_ram_gb: 32 63 | workers: 64 | - vm_network_ip_address: 192.168.69.244 65 | vm_network_mac_address: 0E:C0:EF:A8:45:F4 66 | - vm_network_ip_address: 192.168.69.245 67 | vm_network_mac_address: 0E:C0:EF:A8:45:F5 68 | -------------------------------------------------------------------------------- /inventory/host_vars/ocp1.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | openshift_version: 4.17.6 3 | stormshift_owner_email: "rbohne@redhat.com" 4 | stormshift_owner_purpose: "SSA playground" 5 | stormshift_owner_usage: "exclusive" 6 | 7 | cluster_type: classic 8 | cluster_api_vip: 10.32.105.64 9 | cluster_ingress_vip: 10.32.105.65 10 | 11 | control_plan_cores: 8 12 | control_plan_ram_gb: 16 13 | control_plans: 14 | - vm_network_ip_address: 10.32.105.66 15 | vm_network_mac_address: 0E:C0:EF:20:69:42 16 | - vm_network_ip_address: 10.32.105.67 17 | vm_network_mac_address: 0E:C0:EF:20:69:43 18 | - vm_network_ip_address: 10.32.105.68 19 | vm_network_mac_address: 0E:C0:EF:20:69:44 20 | worker_cores: 8 21 | worker_ram_gb: 16 22 | workers: 23 | - vm_network_ip_address: 10.32.105.69 24 | vm_network_mac_address: 0E:C0:EF:20:69:45 25 | - vm_network_ip_address: 10.32.105.70 26 | vm_network_mac_address: 0E:C0:EF:20:69:46 27 | - vm_network_ip_address: 10.32.105.71 28 | vm_network_mac_address: 0E:C0:EF:20:69:47 29 | 30 | -------------------------------------------------------------------------------- /inventory/host_vars/ocp11.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Single Node example 3 | 4 | # In case you want to exclude some actions 5 | # cluster_excluded_actions: 6 | # - destroy 7 | # - create 8 | stormshift_owner_email: "dfroehli@redhat.com" 9 | stormshift_owner_purpose: "Edge SNO" 10 | stormshift_owner_usage: "exclusive" 11 | cluster_type: classic 12 | # This is also the zone in IPA! 13 | cluster_base_domain: stormshift.coe.muc.redhat.com 14 | cluster_name: ocp11 15 | cluster_color: "#F0F" 16 | 17 | # See: https://docs.openshift.com/container-platform/4.17/scalability_and_performance/enabling-workload-partitioning.html#enabling-workload-partitioning_enabling-workload-partitioning 18 | cluster_cpuPartitioningMode: AllNodes 19 | 20 | # Not needed for SNO, it will use the ip of the node. 21 | # cluster_api_vip: 22 | # cluster_ingress_vip: 23 | 24 | control_plan_cores: 8 25 | control_plan_ram_gb: 48 26 | control_plans: 27 | - vm_network_ip_address: 10.32.105.128 28 | vm_network_mac_address: 0E:C0:EF:20:6F:80 29 | 30 | # Default is in roles/cluster/defaults/main.yaml - Override if needed: 31 | openshift_version: 4.18.8 32 | 33 | stormshift_cluster_features: 34 | - redhat-internal-certificate 35 | - coe-sso 36 | - look-and-feel 37 | # - workload-partitioning 38 | # - lvms 39 | # - rhoai 40 | 41 | 42 | 43 | # See https://docs.openshift.com/container-platform/4.17/installing/overview/cluster-capabilities.html 44 | cluster_capabilities: 45 | baselineCapabilitySet: vCurrent 46 | # baselineCapabilitySet: None 47 | # additionalEnabledCapabilities: 48 | # - Storage 49 | # - Console 50 | # - Ingress 51 | # - OperatorLifecycleManager 52 | # - marketplace 53 | 54 | cluster_additionalTrustBundle: /etc/pki/ca-trust/source/anchors/RedHat_Current-IT-Root-CAs.pem 55 | cluster_imagesource: 56 | imageDigestSources: 57 | - source: quay.io/openshift-release-dev/ocp-release 58 | # mirrorSourcePolicy: AllowContactingSource 59 | mirrorSourcePolicy: NeverContactSource 60 | mirrors: 61 | - quay.coe.muc.redhat.com/proxy_quay_openshift_release/ocp-release 62 | - source: quay.io/openshift-release-dev/ocp-v4.0-art-dev 63 | mirrorSourcePolicy: NeverContactSource 64 | mirrors: 65 | - quay.coe.muc.redhat.com/proxy_quay_openshift_release/ocp-v4.0-art-dev 66 | -------------------------------------------------------------------------------- /inventory/host_vars/ocp12.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Single Node example 3 | 4 | # In case you want to exclude some actions 5 | # cluster_excluded_actions: 6 | # - destroy 7 | # - create 8 | stormshift_owner_email: "available" 9 | stormshift_owner_purpose: "SNO" 10 | stormshift_owner_usage: "exclusive" 11 | cluster_type: classic 12 | # This is also the zone in IPA! 13 | cluster_base_domain: stormshift.coe.muc.redhat.com 14 | cluster_name: ocp12 15 | # Not needed for SNO, it will use the ip of the node. 16 | # cluster_api_vip: 17 | # cluster_ingress_vip: 18 | 19 | control_plan_cores: 8 20 | control_plan_ram_gb: 32 21 | control_plans: 22 | - vm_network_ip_address: 10.32.105.129 23 | vm_network_mac_address: 0E:C0:EF:20:6F:81 24 | 25 | # Default is in roles/cluster/defaults/main.yaml - Override if needed: 26 | #openshift_version: 4.17.2 27 | 28 | # See https://docs.openshift.com/container-platform/4.17/installing/overview/cluster-capabilities.html 29 | #cluster_capabilities: 30 | # baselineCapabilitySet: None 31 | # additionalEnabledCapabilities: 32 | # - Storage 33 | # - Console 34 | # - Ingress 35 | # - OperatorLifecycleManager 36 | # - marketplace 37 | -------------------------------------------------------------------------------- /inventory/host_vars/ocp13.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Single Node example 3 | 4 | # In case you want to exclude some actions 5 | # cluster_excluded_actions: 6 | # - destroy 7 | # - create 8 | stormshift_owner_email: "available" 9 | stormshift_owner_purpose: "SNO" 10 | stormshift_owner_usage: "exclusive" 11 | cluster_type: classic 12 | # This is also the zone in IPA! 13 | cluster_base_domain: stormshift.coe.muc.redhat.com 14 | cluster_name: ocp13 15 | # Not needed for SNO, it will use the ip of the node. 16 | # cluster_api_vip: 17 | # cluster_ingress_vip: 18 | 19 | control_plan_cores: 8 20 | control_plan_ram_gb: 32 21 | control_plans: 22 | - vm_network_ip_address: 10.32.105.130 23 | vm_network_mac_address: 0E:C0:EF:20:6F:82 24 | 25 | # Default is in roles/cluster/defaults/main.yaml - Override if needed: 26 | #openshift_version: 4.17.2 27 | 28 | # See https://docs.openshift.com/container-platform/4.17/installing/overview/cluster-capabilities.html 29 | #cluster_capabilities: 30 | # baselineCapabilitySet: None 31 | # additionalEnabledCapabilities: 32 | # - Storage 33 | # - Console 34 | # - Ingress 35 | # - OperatorLifecycleManager 36 | # - marketplace 37 | -------------------------------------------------------------------------------- /inventory/host_vars/ocp14.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Single Node example 3 | 4 | # In case you want to exclude some actions 5 | # cluster_excluded_actions: 6 | # - destroy 7 | # - create 8 | stormshift_owner_email: "mdargatz@redhat.com" 9 | stormshift_owner_purpose: "SNO" 10 | stormshift_owner_usage: "exclusive" 11 | cluster_type: classic 12 | # This is also the zone in IPA! 13 | cluster_base_domain: stormshift.coe.muc.redhat.com 14 | cluster_name: ocp14 15 | # Not needed for SNO, it will use the ip of the node. 16 | # cluster_api_vip: 17 | # cluster_ingress_vip: 18 | 19 | control_plan_cores: 8 20 | control_plan_ram_gb: 32 21 | control_plans: 22 | - vm_network_ip_address: 10.32.105.131 23 | vm_network_mac_address: 0E:C0:EF:20:6F:83 24 | 25 | # Default is in roles/cluster/defaults/main.yaml - Override if needed: 26 | #openshift_version: 4.17.2 27 | 28 | # See https://docs.openshift.com/container-platform/4.17/installing/overview/cluster-capabilities.html 29 | #cluster_capabilities: 30 | # baselineCapabilitySet: None 31 | # additionalEnabledCapabilities: 32 | # - Storage 33 | # - Console 34 | # - Ingress 35 | # - OperatorLifecycleManager 36 | # - marketplace 37 | -------------------------------------------------------------------------------- /inventory/host_vars/ocp2.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | stormshift_owner_email: "dfroehli@redhat.com" 3 | stormshift_owner_purpose: "Edge compact" 4 | stormshift_owner_usage: "exclusive" 5 | cluster_type: classic 6 | cluster_api_vip: 10.32.105.42 7 | cluster_ingress_vip: 10.32.105.49 8 | 9 | cluster_color: "#0FF" 10 | 11 | # Default is in roles/cluster/defaults/main.yaml - Override if needed: 12 | #openshift_version: 4.17.12 13 | stormshift_cluster_features: 14 | - redhat-internal-certificate 15 | - coe-sso 16 | - look-and-feel 17 | - lvms 18 | 19 | # See https://docs.openshift.com/container-platform/4.17/installing/overview/cluster-capabilities.html 20 | cluster_capabilities: 21 | baselineCapabilitySet: vCurrent 22 | # baselineCapabilitySet: None 23 | # additionalEnabledCapabilities: 24 | # - baremetal 25 | # - Ingress 26 | control_plan_cores: 6 27 | control_plan_ram_gb: 32 28 | 29 | control_plans: 30 | - vm_network_ip_address: 10.32.105.80 31 | vm_network_mac_address: 0E:C0:EF:20:69:50 32 | - vm_network_ip_address: 10.32.105.81 33 | vm_network_mac_address: 0E:C0:EF:20:69:51 34 | - vm_network_ip_address: 10.32.105.82 35 | vm_network_mac_address: 0E:C0:EF:20:69:52 36 | 37 | worker_cores: 8 38 | worker_ram_gb: 16 39 | 40 | # Compact 3 nodes only Cluster: 41 | workers: [] 42 | # Regular 3+3 Cluster: 43 | # workers: 44 | # - vm_network_ip_address: 10.32.105.83 45 | # vm_network_mac_address: 0E:C0:EF:20:69:53 46 | # - vm_network_ip_address: 10.32.105.84 47 | # vm_network_mac_address: 0E:C0:EF:20:69:54 48 | # - vm_network_ip_address: 10.32.105.85 49 | # vm_network_mac_address: 0E:C0:EF:20:69:55 50 | -------------------------------------------------------------------------------- /inventory/host_vars/ocp3.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | stormshift_owner_email: "sluetzen@redhat.com" 3 | stormshift_owner_purpose: "General Purpose, Hosted Control Plan Cluster" 4 | stormshift_owner_usage: "shared" 5 | 6 | local_cluster_admins: 7 | - sluetzen@redhat.com-admin 8 | - rbaumgar@redhat.com-admin 9 | 10 | # Same color as for the labels: https://github.com/stormshift/support/labels 11 | cluster_color: "#c2e0c6" 12 | cluster_color_fg: "#4a4a4a" 13 | 14 | cluster_type: hosted 15 | openshift_version: 4.16.15 16 | 17 | worker_cores: 8 18 | worker_ram_gb: 16 19 | worker_count: 3 20 | 21 | -------------------------------------------------------------------------------- /inventory/host_vars/ocp6.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | stormshift_owner_email: "rbohne@redhat.com" 3 | stormshift_owner_purpose: "Multi-Arch playground" 4 | stormshift_owner_usage: "shared" 5 | 6 | # Same color as for the labels: https://github.com/stormshift/support/labels 7 | cluster_color: "#FEF2C0" 8 | 9 | openshift_version: 4.18.7 10 | 11 | stormshift_cluster_features: 12 | - redhat-internal-certificate 13 | - coe-sso 14 | - manage-with-acm 15 | 16 | cluster_type: classic 17 | cluster_api_vip: 10.32.105.90 18 | cluster_ingress_vip: 10.32.105.91 19 | 20 | #worker_storage_class: "ocs-storagecluster-ceph-rbd-virtualization" 21 | #control_plan_storage_class: "ocs-storagecluster-ceph-rbd-virtualization" 22 | #agent_iso_storage_class: "ocs-storagecluster-cephfs" 23 | 24 | control_plan_cores: 8 25 | control_plan_ram_gb: 16 26 | control_plans: 27 | - vm_network_ip_address: 10.32.105.92 28 | vm_network_mac_address: 0E:C0:EF:20:69:5C 29 | - vm_network_ip_address: 10.32.105.93 30 | vm_network_mac_address: 0E:C0:EF:20:69:5D 31 | - vm_network_ip_address: 10.32.105.94 32 | vm_network_mac_address: 0E:C0:EF:20:69:5E 33 | 34 | worker_cores: 8 35 | worker_ram_gb: 16 36 | workers: 37 | - vm_network_ip_address: 10.32.105.95 38 | vm_network_mac_address: 0E:C0:EF:20:69:5F 39 | - vm_network_ip_address: 10.32.105.96 40 | vm_network_mac_address: 0E:C0:EF:20:69:60 41 | - vm_network_ip_address: 10.32.105.97 42 | vm_network_mac_address: 0E:C0:EF:20:69:61 43 | -------------------------------------------------------------------------------- /inventory/host_vars/ocp7.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | stormshift_owner_email: "rbohne@redhat.com" 3 | stormshift_owner_purpose: "TechJourney Demo Env." 4 | stormshift_owner_usage: "dedicated" 5 | 6 | # local_cluster_admins: 7 | # - .. 8 | 9 | # Same color as for the labels: https://github.com/stormshift/support/labels 10 | cluster_color: "#19122F" 11 | cluster_color_fg: "#e8e8e8" 12 | openshift_version: 4.16.38 13 | 14 | stormshift_cluster_features: 15 | - redhat-internal-certificate 16 | - coe-sso 17 | - manage-with-acm 18 | - look-and-feel 19 | 20 | worker_storage_class: "ocs-storagecluster-ceph-rbd-virtualization" 21 | control_plan_storage_class: "ocs-storagecluster-ceph-rbd-virtualization" 22 | agent_iso_storage_class: "ocs-storagecluster-cephfs" 23 | 24 | cluster_type: classic 25 | cluster_api_vip: 10.32.105.98 26 | cluster_ingress_vip: 10.32.105.99 27 | 28 | control_plan_cores: 8 29 | control_plan_ram_gb: 16 30 | control_plans: 31 | - vm_network_ip_address: 10.32.105.100 32 | vm_network_mac_address: 0E:C0:EF:20:69:64 33 | - vm_network_ip_address: 10.32.105.101 34 | vm_network_mac_address: 0E:C0:EF:20:69:65 35 | - vm_network_ip_address: 10.32.105.102 36 | vm_network_mac_address: 0E:C0:EF:20:69:66 37 | 38 | worker_cores: 8 39 | worker_ram_gb: 16 40 | workers: 41 | - vm_network_ip_address: 10.32.105.103 42 | vm_network_mac_address: 0E:C0:EF:20:69:67 43 | - vm_network_ip_address: 10.32.105.104 44 | vm_network_mac_address: 0E:C0:EF:20:69:68 45 | - vm_network_ip_address: 10.32.105.105 46 | vm_network_mac_address: 0E:C0:EF:20:69:69 47 | -------------------------------------------------------------------------------- /inventory/host_vars/ocp8.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | stormshift_owner_email: "wmarx@redhat.com" 3 | stormshift_owner_purpose: "OpenShift Virt" 4 | stormshift_owner_usage: "dedicated" 5 | 6 | local_cluster_admins: 7 | - wmarx@redhat.com-admin 8 | 9 | # Same color as for the labels: https://github.com/stormshift/support/labels 10 | cluster_color: "#6452F2" 11 | cluster_color_fg: "#fefefe" 12 | openshift_version: 4.18.5 13 | 14 | stormshift_cluster_features: 15 | - redhat-internal-certificate 16 | - coe-sso 17 | - manage-with-acm 18 | - look-and-feel 19 | 20 | cluster_type: classic 21 | cluster_api_vip: 10.32.105.140 22 | cluster_ingress_vip: 10.32.105.141 23 | 24 | worker_storage_class: "ocs-storagecluster-ceph-rbd-virtualization" 25 | control_plan_storage_class: "ocs-storagecluster-ceph-rbd-virtualization" 26 | agent_iso_storage_class: "ocs-storagecluster-cephfs" 27 | 28 | control_plan_cores: 8 29 | control_plan_ram_gb: 16 30 | control_plans: 31 | - vm_network_ip_address: 10.32.105.142 32 | vm_network_mac_address: 0E:C0:EF:20:6F:8E 33 | - vm_network_ip_address: 10.32.105.143 34 | vm_network_mac_address: 0E:C0:EF:20:6F:8F 35 | - vm_network_ip_address: 10.32.105.144 36 | vm_network_mac_address: 0E:C0:EF:20:6F:90 37 | 38 | worker_cores: 16 39 | worker_ram_gb: 32 40 | workers: 41 | - vm_network_ip_address: 10.32.105.145 42 | vm_network_mac_address: 0E:C0:EF:20:6F:91 43 | - vm_network_ip_address: 10.32.105.146 44 | vm_network_mac_address: 0E:C0:EF:20:6F:92 45 | - vm_network_ip_address: 10.32.105.147 46 | vm_network_mac_address: 0E:C0:EF:20:6F:93 47 | -------------------------------------------------------------------------------- /inventory/host_vars/ocp9.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | stormshift_owner_email: "lbohnsac@redhat.com" 3 | stormshift_owner_purpose: "OpenShift Virt Services Education Cluster" 4 | stormshift_owner_usage: "dedicated" 5 | 6 | local_cluster_admins: 7 | - emeroglu@redhat.com-admin 8 | - lbohnsac@redhat.com-admin 9 | 10 | # Same color as for the labels: https://github.com/stormshift/support/labels 11 | cluster_color: "#fbca04" 12 | cluster_color_fg: "#4a4a4a" 13 | 14 | openshift_version: 4.17.15 15 | 16 | stormshift_cluster_features: 17 | - redhat-internal-certificate 18 | - coe-sso 19 | - manage-with-acm 20 | - look-and-feel 21 | 22 | cluster_type: classic 23 | cluster_api_vip: 10.32.105.115 24 | cluster_ingress_vip: 10.32.105.116 25 | 26 | control_plan_cores: 8 27 | control_plan_ram_gb: 16 28 | control_plans: 29 | - vm_network_ip_address: 10.32.105.117 30 | vm_network_mac_address: 0E:C0:EF:20:69:75 31 | - vm_network_ip_address: 10.32.105.118 32 | vm_network_mac_address: 0E:C0:EF:20:69:76 33 | - vm_network_ip_address: 10.32.105.119 34 | vm_network_mac_address: 0E:C0:EF:20:69:77 35 | 36 | worker_cores: 16 37 | worker_ram_gb: 32 38 | workers: 39 | - vm_network_ip_address: 10.32.105.120 40 | vm_network_mac_address: 0E:C0:EF:20:69:78 41 | - vm_network_ip_address: 10.32.105.121 42 | vm_network_mac_address: 0E:C0:EF:20:69:79 43 | -------------------------------------------------------------------------------- /inventory/host_vars/ushift-imgbld2.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ansible_host: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}" 3 | -------------------------------------------------------------------------------- /inventory/host_vars/ushift01.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ansible_host: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}" 3 | -------------------------------------------------------------------------------- /inventory/host_vars/ushift02.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ansible_host: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}" 3 | -------------------------------------------------------------------------------- /inventory/host_vars/ushift03.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ansible_host: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}" 3 | -------------------------------------------------------------------------------- /inventory/host_vars/ushift04.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ansible_host: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}" 3 | -------------------------------------------------------------------------------- /inventory/host_vars/ushift05.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ansible_host: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}" 3 | -------------------------------------------------------------------------------- /inventory/host_vars/ushift06.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ansible_host: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}" 3 | -------------------------------------------------------------------------------- /inventory/host_vars/ushift07.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ansible_host: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}" 3 | -------------------------------------------------------------------------------- /inventory/host_vars/ushift08.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ansible_host: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}" 3 | -------------------------------------------------------------------------------- /inventory/host_vars/ushift09.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ansible_host: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}" 3 | -------------------------------------------------------------------------------- /inventory/host_vars/ushift10-eus.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ansible_host: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}" 3 | -------------------------------------------------------------------------------- /inventory/host_vars/ushift11-ga.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ansible_host: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}" 3 | -------------------------------------------------------------------------------- /inventory/host_vars/ushift12-rc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ansible_host: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}" 3 | -------------------------------------------------------------------------------- /inventory/host_vars/ushift13-ec.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ansible_host: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}" 3 | -------------------------------------------------------------------------------- /inventory/host_vars/ushift14.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ansible_host: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}" 3 | -------------------------------------------------------------------------------- /inventory/host_vars/ushift15-ostree.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ansible_host: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}" 3 | -------------------------------------------------------------------------------- /inventory/host_vars/ushift16-ostree.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ansible_host: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}" 3 | -------------------------------------------------------------------------------- /inventory/host_vars/ushift17-ostree.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ansible_host: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}" 3 | -------------------------------------------------------------------------------- /inventory/host_vars/ushift18-bootc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ansible_host: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}" 3 | -------------------------------------------------------------------------------- /inventory/host_vars/ushift19-bootc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ansible_host: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}" 3 | -------------------------------------------------------------------------------- /inventory/host_vars/ushift20.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ansible_host: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}" 3 | -------------------------------------------------------------------------------- /inventory/host_vars/ushift21-qe1.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ansible_host: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}" 3 | -------------------------------------------------------------------------------- /inventory/host_vars/ushift22.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ansible_host: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}" 3 | -------------------------------------------------------------------------------- /isar-baselayer-config/010_namespaces.yaml: -------------------------------------------------------------------------------- 1 | # This creates the namespaces: 2 | kind: Namespace 3 | apiVersion: v1 4 | metadata: 5 | annotations: 6 | openshift.io/description: "Contains VM templates used by StormShift" 7 | openshift.io/display-name: "stormshift-vm-templates" 8 | openshift.io/requester: dfroehli@redhat.com 9 | name: stormshift-vm-templates 10 | spec: 11 | --- 12 | kind: Namespace 13 | apiVersion: v1 14 | metadata: 15 | annotations: 16 | openshift.io/description: "Contains VMs running microshift instances" 17 | openshift.io/display-name: "stormshift-microshift" 18 | openshift.io/requester: dfroehli@redhat.com 19 | name: stormshift-microshift 20 | spec: 21 | --- 22 | kind: Namespace 23 | apiVersion: v1 24 | metadata: 25 | annotations: 26 | openshift.io/description: "Contains VMs running openshift clusters" 27 | openshift.io/display-name: "stormshift-openshift" 28 | openshift.io/requester: dfroehli@redhat.com 29 | name: stormshift-openshift 30 | spec: 31 | --- 32 | kind: Namespace 33 | apiVersion: v1 34 | metadata: 35 | annotations: 36 | openshift.io/description: "Foundation for all StormShift related workload" 37 | openshift.io/display-name: "stormshift" 38 | openshift.io/requester: rbohne@redhat.com 39 | name: stormshift 40 | spec: 41 | -------------------------------------------------------------------------------- /isar-baselayer-config/015-group.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: user.openshift.io/v1 3 | kind: Group 4 | metadata: 5 | name: stormshift-admins 6 | users: 7 | - rbohne@redhat.com 8 | - b64:system:serviceaccount:stormshift:automation 9 | -------------------------------------------------------------------------------- /isar-baselayer-config/015-service-accounts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: stormshift-automation 6 | namespace: stormshift-vm-templates 7 | --- 8 | apiVersion: v1 9 | kind: ServiceAccount 10 | metadata: 11 | name: automation 12 | namespace: stormshift 13 | --- 14 | apiVersion: v1 15 | kind: Secret 16 | metadata: 17 | name: automation-token 18 | namespace: stormshift 19 | annotations: 20 | kubernetes.io/service-account.name: automation 21 | type: kubernetes.io/service-account-token -------------------------------------------------------------------------------- /isar-baselayer-config/016-automation-role-cr.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: stormshift-automation 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - namespaces 11 | verbs: 12 | - get 13 | - patch 14 | - update 15 | - apiGroups: 16 | - cluster.open-cluster-management.io 17 | resources: 18 | - managedclusters 19 | verbs: 20 | - create 21 | - list 22 | - delete 23 | - patch 24 | - get 25 | - apiGroups: 26 | - project.openshift.io 27 | resources: 28 | - projects 29 | verbs: 30 | - create 31 | - list 32 | - patch 33 | - get 34 | - apiGroups: 35 | - v1 36 | resources: 37 | - namespaces 38 | verbs: 39 | - create 40 | - list 41 | - patch 42 | - get 43 | - edit 44 | --- 45 | apiVersion: rbac.authorization.k8s.io/v1 46 | kind: Role 47 | metadata: 48 | name: hcp-automation 49 | namespace: clusters 50 | rules: 51 | - apiGroups: 52 | - "hypershift.openshift.io" 53 | resources: 54 | - hostedclusters 55 | - nodepools 56 | verbs: 57 | - "*" 58 | --- 59 | apiVersion: rbac.authorization.k8s.io/v1 60 | kind: ClusterRoleBinding 61 | metadata: 62 | name: stormshift-automation 63 | roleRef: 64 | apiGroup: rbac.authorization.k8s.io 65 | kind: ClusterRole 66 | name: stormshift-automation 67 | subjects: 68 | - kind: ServiceAccount 69 | name: automation 70 | namespace: stormshift 71 | --- 72 | apiVersion: rbac.authorization.k8s.io/v1 73 | kind: ClusterRoleBinding 74 | metadata: 75 | name: stormshift-automation-self-provisioner 76 | roleRef: 77 | apiGroup: rbac.authorization.k8s.io 78 | kind: ClusterRole 79 | name: self-provisioner 80 | subjects: 81 | - kind: ServiceAccount 82 | name: automation 83 | namespace: stormshift 84 | --- 85 | apiVersion: rbac.authorization.k8s.io/v1 86 | kind: ClusterRoleBinding 87 | metadata: 88 | name: stormshift-automation-managedclusterset-admin 89 | roleRef: 90 | apiGroup: rbac.authorization.k8s.io 91 | kind: ClusterRole 92 | name: open-cluster-management:managedclusterset:admin:stormshift 93 | subjects: 94 | - kind: ServiceAccount 95 | name: automation 96 | namespace: stormshift 97 | --- 98 | apiVersion: rbac.authorization.k8s.io/v1 99 | kind: RoleBinding 100 | metadata: 101 | name: stormshift-automation-hcp-admin 102 | namespace: clusters 103 | roleRef: 104 | apiGroup: rbac.authorization.k8s.io 105 | kind: Role 106 | name: hcp-automation 107 | subjects: 108 | - kind: ServiceAccount 109 | name: automation 110 | namespace: stormshift 111 | --- 112 | apiVersion: rbac.authorization.k8s.io/v1 113 | kind: RoleBinding 114 | metadata: 115 | name: stormshift-automation-admin 116 | namespace: clusters 117 | roleRef: 118 | apiGroup: rbac.authorization.k8s.io 119 | kind: ClusterRole 120 | name: admin 121 | subjects: 122 | - kind: ServiceAccount 123 | name: automation 124 | namespace: stormshift -------------------------------------------------------------------------------- /isar-baselayer-config/020_rolebindings.yaml: -------------------------------------------------------------------------------- 1 | # Make stormshift namespaces visiable to all authenticated users: 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: RoleBinding 4 | metadata: 5 | name: make-all-athenticated-project-admin 6 | namespace: stormshift-vm-templates 7 | subjects: 8 | # All authenticated users: 9 | - kind: Group 10 | name: system:authenticated 11 | apiGroup: rbac.authorization.k8s.io 12 | - kind: ServiceAccount 13 | name: stormshift-automation 14 | namespace: stormshift-vm-templates 15 | roleRef: 16 | kind: ClusterRole 17 | name: admin 18 | apiGroup: rbac.authorization.k8s.io 19 | --- 20 | apiVersion: rbac.authorization.k8s.io/v1 21 | kind: RoleBinding 22 | metadata: 23 | name: make-all-athenticated-project-admin 24 | namespace: stormshift-microshift 25 | subjects: 26 | # All authenticated users: 27 | - kind: Group 28 | name: system:authenticated 29 | apiGroup: rbac.authorization.k8s.io 30 | roleRef: 31 | kind: ClusterRole 32 | name: admin 33 | apiGroup: rbac.authorization.k8s.io 34 | --- 35 | apiVersion: rbac.authorization.k8s.io/v1 36 | kind: RoleBinding 37 | metadata: 38 | name: make-all-athenticated-project-admin 39 | namespace: stormshift-openshift 40 | subjects: 41 | # All authenticated users: 42 | - kind: Group 43 | name: system:authenticated 44 | apiGroup: rbac.authorization.k8s.io 45 | roleRef: 46 | kind: ClusterRole 47 | name: admin 48 | apiGroup: rbac.authorization.k8s.io 49 | --- 50 | apiVersion: rbac.authorization.k8s.io/v1 51 | kind: RoleBinding 52 | metadata: 53 | name: stormshift-admins-admin 54 | namespace: stormshift 55 | subjects: 56 | - kind: Group 57 | name: stormshift-admins 58 | apiGroup: rbac.authorization.k8s.io 59 | - kind: ServiceAccount 60 | name: automation 61 | namespace: stormshift 62 | roleRef: 63 | kind: ClusterRole 64 | name: admin 65 | apiGroup: rbac.authorization.k8s.io 66 | 67 | -------------------------------------------------------------------------------- /isar-baselayer-config/050_allowDataVolumeClone.yaml: -------------------------------------------------------------------------------- 1 | # This adds data volume clone permissions as a Role, 2 | # and then grants it to all serviceaccouns and users 3 | # for stormshift templates: 4 | # See: 5 | # https://docs.openshift.com/container-platform/4.13/virt/virtual_machines/cloning_vms/virt-enabling-user-permissions-to-clone-datavolumes.html#virt-creating-rbac-cloning-dvs_virt-enabling-user-permissions-to-clone-datavolumes 6 | apiVersion: rbac.authorization.k8s.io/v1 7 | kind: ClusterRole 8 | metadata: 9 | name: cdi.datavolume-cloner.addedBy-dfroehli 10 | rules: 11 | - apiGroups: ["cdi.kubevirt.io"] 12 | resources: ["datavolumes/source"] 13 | verbs: ["*"] 14 | --- 15 | apiVersion: rbac.authorization.k8s.io/v1 16 | kind: RoleBinding 17 | metadata: 18 | name: allow-all-datavolume-clone 19 | namespace: stormshift-vm-templates 20 | subjects: 21 | # All Service Accounts in all Namespaces: 22 | - kind: Group 23 | name: system:serviceaccounts 24 | apiGroup: rbac.authorization.k8s.io 25 | # All authenticated users: 26 | - kind: Group 27 | name: system:authenticated 28 | apiGroup: rbac.authorization.k8s.io 29 | roleRef: 30 | kind: ClusterRole 31 | name: cdi.datavolume-cloner.addedBy-dfroehli 32 | apiGroup: rbac.authorization.k8s.io 33 | -------------------------------------------------------------------------------- /isar-baselayer-config/060_networkattachments.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8s.cni.cncf.io/v1 2 | kind: NetworkAttachmentDefinition 3 | metadata: 4 | annotations: 5 | k8s.v1.cni.cncf.io/resourceName: bridge.network.kubevirt.io/coe-bridge 6 | name: coe-bridge 7 | namespace: stormshift-vm-templates 8 | spec: 9 | config: '{"name":"coe-bridge","type":"cnv-bridge","cniVersion":"0.3.1","bridge":"coe-bridge","macspoofchk":true,"ipam":{}}' 10 | --- 11 | apiVersion: k8s.cni.cncf.io/v1 12 | kind: NetworkAttachmentDefinition 13 | metadata: 14 | annotations: 15 | k8s.v1.cni.cncf.io/resourceName: bridge.network.kubevirt.io/coe-bridge 16 | name: coe-bridge 17 | namespace: stormshift-openshift 18 | spec: 19 | config: '{"name":"coe-bridge","type":"cnv-bridge","cniVersion":"0.3.1","bridge":"coe-bridge","macspoofchk":true,"ipam":{}}' 20 | --- 21 | apiVersion: k8s.cni.cncf.io/v1 22 | kind: NetworkAttachmentDefinition 23 | metadata: 24 | annotations: 25 | k8s.v1.cni.cncf.io/resourceName: bridge.network.kubevirt.io/coe-bridge 26 | name: coe-bridge 27 | namespace: stormshift-microshift 28 | spec: 29 | config: '{"name":"coe-bridge","type":"cnv-bridge","cniVersion":"0.3.1","bridge":"coe-bridge","macspoofchk":true,"ipam":{}}' 30 | -------------------------------------------------------------------------------- /isar-baselayer-config/100-vm-template-rhel92.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kubevirt.io/v1 2 | kind: VirtualMachine 3 | metadata: 4 | labels: 5 | kubevirt.io/vm: stormshift-template-rhel92 6 | name: stormshift-template-rhel92 7 | namespace: stormshift-vm-templates 8 | spec: 9 | running: false 10 | template: 11 | metadata: 12 | labels: 13 | kubevirt.io/vm: stormshift-template-rhel92 14 | spec: 15 | domain: 16 | cpu: 17 | cores: 2 18 | sockets: 1 19 | threads: 1 20 | memory: 21 | guest: 4Gi 22 | resources: 23 | requests: 24 | memory: 4Gi 25 | cpu: "1" 26 | machine: 27 | type: q35 28 | devices: 29 | disks: 30 | - disk: 31 | bus: virtio 32 | name: root-disk 33 | interfaces: 34 | - bridge: {} 35 | macAddress: '0E:C0:EF:20:69:26' 36 | model: virtio 37 | name: net-0 38 | clock: 39 | timezone: Etc/GMT 40 | networks: 41 | - multus: 42 | networkName: stormshift-vm-templates/coe-bridge 43 | name: net-0 44 | volumes: 45 | - name: root-disk 46 | persistentVolumeClaim: 47 | claimName: stormshift-template-rhel92-root 48 | -------------------------------------------------------------------------------- /isar-baselayer-config/110-vm-template-rhel94.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kubevirt.io/v1 2 | kind: VirtualMachine 3 | metadata: 4 | labels: 5 | kubevirt.io/vm: stormshift-template-rhel94 6 | name: stormshift-template-rhel94 7 | namespace: stormshift-vm-templates 8 | spec: 9 | running: false 10 | template: 11 | metadata: 12 | labels: 13 | kubevirt.io/vm: stormshift-template-rhel94 14 | spec: 15 | domain: 16 | cpu: 17 | cores: 2 18 | sockets: 1 19 | threads: 1 20 | memory: 21 | guest: 4Gi 22 | resources: 23 | requests: 24 | memory: 4Gi 25 | cpu: "1" 26 | machine: 27 | type: q35 28 | devices: 29 | disks: 30 | - disk: 31 | bus: virtio 32 | name: root-disk 33 | interfaces: 34 | - bridge: {} 35 | macAddress: '0E:C0:EF:20:69:27' 36 | model: virtio 37 | name: net-0 38 | clock: 39 | timezone: Etc/GMT 40 | networks: 41 | - multus: 42 | networkName: stormshift-vm-templates/coe-bridge 43 | name: net-0 44 | volumes: 45 | - name: root-disk 46 | persistentVolumeClaim: 47 | claimName: stormshift-template-rhel94-root 48 | -------------------------------------------------------------------------------- /isar-baselayer-config/300-external-secrets.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: external-secrets.io/v1beta1 2 | kind: ExternalSecret 3 | metadata: 4 | annotations: 5 | name: coe-ssh-key 6 | namespace: stormshift 7 | spec: 8 | data: 9 | - remoteRef: 10 | conversionStrategy: Default 11 | decodingStrategy: None 12 | key: coe-lab/ssh-key/coe-muc-rsa 13 | metadataPolicy: None 14 | property: key 15 | secretKey: id_rsa 16 | - remoteRef: 17 | conversionStrategy: Default 18 | decodingStrategy: None 19 | key: coe-lab/ssh-key/coe-muc-rsa 20 | metadataPolicy: None 21 | property: pub 22 | secretKey: id_rsa.pub 23 | refreshInterval: 12h 24 | secretStoreRef: 25 | kind: ClusterSecretStore 26 | name: redhat-vault 27 | target: 28 | creationPolicy: Owner 29 | deletionPolicy: Retain 30 | name: coe-ssh-key 31 | -------------------------------------------------------------------------------- /isar-baselayer-config/README.md: -------------------------------------------------------------------------------- 1 | This directory contains the config for the base layer ocp cluster (ISAR). 2 | It is applied via gitops. 3 | See: 4 | https://openshift-gitops-server-openshift-gitops.apps.isar.coe.muc.redhat.com/applications/openshift-gitops/stormshift-app 5 | -------------------------------------------------------------------------------- /media-asset/aap-inventory-source-repo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/stormshift/automation/d262ecd5d68dae724f31c5dbfa7cb02fb202e5b1/media-asset/aap-inventory-source-repo.png -------------------------------------------------------------------------------- /request-cert.yaml: -------------------------------------------------------------------------------- 1 | - hosts: localhost 2 | gather_facts: false 3 | tasks: 4 | - name: "Import role req-cert-vault" 5 | vars: 6 | common_name: "api.ocp5.stormshift.coe.muc.redhat.com" 7 | subject_alt_name: "DNS:api.ocp5.stormshift.coe.muc.redhat.com,DNS:*.apps.ocp5.stormshift.coe.muc.redhat.com" 8 | 9 | ansible.builtin.include_role: 10 | name: req-cert-vault 11 | -------------------------------------------------------------------------------- /roles/cluster-hcp/defaults/main.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | cluster_hcp_etcd_storage_class: "coe-netapp-san" 3 | cluster_hcp_node_root_volume_storage_class: "coe-netapp-san" 4 | cluster_hcp_namespace: "clusters" 5 | cluster_hcp_name: "{{ inventory_hostname }}" 6 | cluster_hcp_prefix: "stormshift-" 7 | -------------------------------------------------------------------------------- /roles/cluster/README.md: -------------------------------------------------------------------------------- 1 | Role Name 2 | ========= 3 | 4 | A brief description of the role goes here. 5 | 6 | Requirements 7 | ------------ 8 | 9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. 10 | 11 | Role Variables 12 | -------------- 13 | 14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. 15 | 16 | Dependencies 17 | ------------ 18 | 19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. 20 | 21 | Example Playbook 22 | ---------------- 23 | 24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: 25 | 26 | - hosts: servers 27 | roles: 28 | - { role: username.rolename, x: 42 } 29 | 30 | License 31 | ------- 32 | 33 | BSD 34 | 35 | Author Information 36 | ------------------ 37 | 38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed). 39 | -------------------------------------------------------------------------------- /roles/cluster/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for cluster 3 | cluster_name: "{{ inventory_hostname }}" 4 | 5 | artifacts_dir: "{{ playbook_dir }}" 6 | openshift_install_dir: "{{ artifacts_dir }}/{{ inventory_hostname }}" 7 | openshift_version: 4.17.12 8 | openshift_install_dest: "{{ artifacts_dir }}/{{ openshift_version }}" 9 | 10 | openshift_mirror: "https://mirror.openshift.com" 11 | openshift_location: "{{ openshift_mirror }}/pub/openshift-v4/clients/ocp/{{ openshift_version }}" 12 | 13 | openshift_install_command: "{{ openshift_install_dest }}/openshift-install" 14 | 15 | network: 10.32.96.0 16 | network_ip_address_prefix_length: 20 17 | 18 | network_default_gw: 10.32.111.254 19 | network_dns_servers: 20 | - 10.32.96.1 21 | - 10.32.96.31 22 | 23 | upload_host: https://cdi-uploadproxy-openshift-cnv.apps.isar.coe.muc.redhat.com 24 | 25 | target_namespace: "{{ cluster_custom_namespace | default('stormshift-' + inventory_hostname + '-infra') }}" 26 | 27 | clusterAlreadyExists: false 28 | 29 | # See: https://docs.openshift.com/container-platform/4.17/scalability_and_performance/enabling-workload-partitioning.html#enabling-workload-partitioning_enabling-workload-partitioning 30 | cluster_cpuPartitioningMode: None 31 | 32 | worker_storage_class: "coe-netapp-san" 33 | control_plan_storage_class: "coe-netapp-san" 34 | agent_iso_storage_class: "coe-netapp-nas" -------------------------------------------------------------------------------- /roles/cluster/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for cluster 3 | -------------------------------------------------------------------------------- /roles/cluster/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: your name 3 | description: your role description 4 | company: your company (optional) 5 | 6 | # If the issue tracker for your role is not on github, uncomment the 7 | # next line and provide a value 8 | # issue_tracker_url: http://example.com/issue/tracker 9 | 10 | # Choose a valid license ID from https://spdx.org - some suggested licenses: 11 | # - BSD-3-Clause (default) 12 | # - MIT 13 | # - GPL-2.0-or-later 14 | # - GPL-3.0-only 15 | # - Apache-2.0 16 | # - CC-BY-4.0 17 | license: license (GPL-2.0-or-later, MIT, etc) 18 | 19 | min_ansible_version: 2.1 20 | 21 | # If this a Container Enabled role, provide the minimum Ansible Container version. 22 | # min_ansible_container_version: 23 | 24 | # 25 | # Provide a list of supported platforms, and for each platform a list of versions. 26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'. 27 | # To view available platforms and versions (or releases), visit: 28 | # https://galaxy.ansible.com/api/v1/platforms/ 29 | # 30 | # platforms: 31 | # - name: Fedora 32 | # versions: 33 | # - all 34 | # - 25 35 | # - name: SomePlatform 36 | # versions: 37 | # - all 38 | # - 1.0 39 | # - 7 40 | # - 99.99 41 | 42 | galaxy_tags: [] 43 | # List tags for your role here, one per line. A tag is a keyword that describes 44 | # and categorizes the role. Users find roles by searching for tags. Be sure to 45 | # remove the '[]' above, if you add tags to this list. 46 | # 47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 48 | # Maximum 20 tags per role. 49 | 50 | dependencies: [] 51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above, 52 | # if you add dependencies to this list. 53 | -------------------------------------------------------------------------------- /roles/cluster/tasks/deploy-vm.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: "Deploy VM {{target_namespace}}/{{ vm_name }}" 4 | kubevirt.core.kubevirt_vm: 5 | api_key: "{{ hostvars['isar']['k8s_auth_api_key'] }}" 6 | host: "{{ hostvars['isar']['k8s_auth_host'] }}" 7 | validate_certs: "{{ hostvars['isar']['k8s_auth_verify_ssl'] }}" 8 | 9 | state: present 10 | running: true # default 11 | wait: true 12 | wait_timeout: 480 13 | name: "{{ vm_name }}" 14 | namespace: "{{ target_namespace }}" 15 | labels: 16 | vm_group: "{{ target_namespace }}" 17 | data_volume_templates: 18 | - metadata: 19 | name: "{{ vm_name }}-root" 20 | spec: 21 | storage: 22 | accessModes: 23 | - ReadWriteMany 24 | storageClassName: "{{ vm_rootdisk_storageclass }}" 25 | resources: 26 | requests: 27 | storage: "{{ vm_rootdisk_size }}" 28 | source: 29 | blank: {} 30 | - metadata: 31 | name: "{{ vm_name }}-cdrom" 32 | spec: 33 | storage: 34 | accessModes: 35 | - ReadWriteMany 36 | storageClassName: "{{ agent_iso_storage_class }}" 37 | resources: 38 | requests: 39 | storage: "2Gi" 40 | source: 41 | pvc: 42 | name: "{{ inventory_hostname }}-agent-iso" 43 | namespace: "{{ target_namespace }}" 44 | spec: 45 | affinity: 46 | podAntiAffinity: 47 | preferredDuringSchedulingIgnoredDuringExecution: 48 | - weight: 100 49 | podAffinityTerm: 50 | labelSelector: 51 | matchExpressions: 52 | - key: vm_group 53 | operator: In 54 | values: 55 | - "{{ target_namespace }}" 56 | topologyKey: kubernetes.io/hostname 57 | 58 | volumes: 59 | - name: cdrom 60 | dataVolume: 61 | name: "{{ vm_name }}-cdrom" 62 | - name: root 63 | dataVolume: 64 | name: "{{ vm_name }}-root" 65 | networks: 66 | - name: coe 67 | multus: 68 | networkName: "{{ vm_net_attach_def | default('coe-bridge') }}" 69 | domain: 70 | cpu: 71 | cores: "{{ vm_cores | int }}" 72 | sockets: 1 73 | threads: 1 # Hyperthreading is disabled at ISAR cluster 74 | memory: 75 | guest: "{{ vm_memory_gb }}Gi" 76 | resources: 77 | requests: 78 | memory: "{{ vm_memory_gb }}Gi" 79 | # https://docs.openshift.com/container-platform/4.14/virt/install/preparing-cluster-for-virt.html#virt-cluster-resource-requirements_preparing-cluster-for-virt 80 | # Based on the calculation: 81 | # Memory overhead per virtual machine ≈ (1.002 × requested memory) \ 82 | # + 218 MiB \ 83 | # + 8 MiB × (number of vCPUs) \ 84 | # + 16 MiB × (number of graphics devices) \ 85 | # + (additional memory overhead) 86 | # 87 | 88 | # echo "(16384 * 1.002) + 218 + (8*8)" | bc -l 89 | # => 16698.768 90 | # + 20Mib because of https://docs.openshift.com/container-platform/4.15/virt/monitoring/virt-runbooks.html#virt-runbook-KubevirtVmHighMemoryUsage 91 | # echo "(16384 * 1.002) + 218 + (8*8) + 20 " | bc -l 92 | # => 16718.768 93 | # round: 16720Mi 94 | limits: 95 | memory: "{{ ( ( ( vm_memory_gb * 1.002 ) + 0.218 + ( 0.008 * vm_cores ) ) * 1024 ) | round(0) | int }}Mi" 96 | devices: 97 | disks: 98 | - name: root 99 | bootOrder: 1 100 | disk: 101 | bus: virtio 102 | - name: cdrom 103 | bootOrder: 2 104 | cdrom: 105 | bus: sata 106 | shareable: true 107 | interfaces: 108 | - bridge: {} 109 | macAddress: "{{ vm_network_mac_address }}" 110 | model: virtio 111 | name: coe 112 | -------------------------------------------------------------------------------- /roles/cluster/tasks/destroy-cluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Include pre-destroy-features 4 | ignore_errors: true 5 | ansible.builtin.include_role: 6 | name: "feature-{{ item }}" 7 | tasks_from: pre-destroy.yaml 8 | with_items: "{{ stormshift_cluster_features | default([]) }}" 9 | 10 | - name: Remove api/api-int dns records 11 | ignore_errors: true 12 | community.general.ipa_dnsrecord: 13 | zone_name: "{{ cluster_base_domain }}" 14 | record_name: "{{ item }}.{{ inventory_hostname }}" 15 | record_type: A 16 | record_value: "{{ cluster_api_vip | default(control_plans.0.vm_network_ip_address) }}" 17 | state: absent 18 | ipa_host: "{{ lookup('ansible.builtin.env', 'IPA_HOST' ) }}" 19 | ipa_user: "{{ lookup('ansible.builtin.env', 'IPA_USER' ) }}" 20 | ipa_pass: "{{ lookup('ansible.builtin.env', 'IPA_PASS' ) }}" 21 | validate_certs: false 22 | with_items: 23 | - api 24 | - api-int 25 | 26 | - name: Remove *.apps dns records 27 | ignore_errors: true 28 | community.general.ipa_dnsrecord: 29 | zone_name: "{{ cluster_base_domain }}" 30 | record_name: "*.apps.{{ inventory_hostname }}" 31 | record_type: A 32 | record_value: "{{ cluster_ingress_vip | default(control_plans.0.vm_network_ip_address) }}" 33 | state: absent 34 | ipa_host: "{{ lookup('ansible.builtin.env', 'IPA_HOST' ) }}" 35 | ipa_user: "{{ lookup('ansible.builtin.env', 'IPA_USER' ) }}" 36 | ipa_pass: "{{ lookup('ansible.builtin.env', 'IPA_PASS' ) }}" 37 | validate_certs: false 38 | 39 | # https://github.com/kubevirt/containerized-data-importer/blob/main/doc/upload.md 40 | - name: Delete DataVolume 41 | # register: my_var_with_return_value 42 | ignore_errors: true 43 | kubernetes.core.k8s: 44 | api_key: "{{ hostvars['isar']['k8s_auth_api_key'] }}" 45 | host: "{{ hostvars['isar']['k8s_auth_host'] }}" 46 | validate_certs: "{{ hostvars['isar']['k8s_auth_verify_ssl'] }}" 47 | 48 | state: absent 49 | definition: 50 | apiVersion: cdi.kubevirt.io/v1beta1 51 | kind: DataVolume 52 | metadata: 53 | name: "{{ inventory_hostname }}-agent-iso" 54 | namespace: "{{ target_namespace }}" 55 | 56 | # Not yet needed 57 | # - name: "Include pre-destroy-cluster-{{ cluster_type }}" 58 | # include_role: 59 | # name: cluster 60 | # tasks_from: "pre-destroy-cluster-{{ cluster_type }}.yaml" 61 | 62 | - name: Destroy control plane VM 63 | vars: 64 | vm_name: "{{ inventory_hostname }}-cp-{{ item.0 }}" 65 | ansible.builtin.include_tasks: "destroy-vm.yaml" 66 | with_indexed_items: "{{ control_plans }}" 67 | 68 | - name: Destroy worker VM 69 | vars: 70 | vm_name: "{{ inventory_hostname }}-worker-{{ item.0 }}" 71 | ansible.builtin.include_tasks: "destroy-vm.yaml" 72 | with_indexed_items: "{{ workers | default([]) }}" 73 | 74 | - name: Delete DataVolume agent-iso 75 | # register: my_var_with_return_value 76 | ignore_errors: true 77 | kubernetes.core.k8s: 78 | api_key: "{{ hostvars['isar']['k8s_auth_api_key'] }}" 79 | host: "{{ hostvars['isar']['k8s_auth_host'] }}" 80 | validate_certs: "{{ hostvars['isar']['k8s_auth_verify_ssl'] }}" 81 | 82 | state: absent 83 | wait: yes 84 | wait_condition: 85 | type: Running 86 | status: True 87 | reason: Pod is running 88 | definition: 89 | apiVersion: cdi.kubevirt.io/v1beta1 90 | kind: DataVolume 91 | metadata: 92 | name: "{{ inventory_hostname }}-agent-iso" 93 | namespace: "{{ target_namespace }}" 94 | 95 | - name: Delete installer authentication in a secret 96 | ignore_errors: true 97 | kubernetes.core.k8s: 98 | api_key: "{{ hostvars['isar']['k8s_auth_api_key'] }}" 99 | host: "{{ hostvars['isar']['k8s_auth_host'] }}" 100 | validate_certs: "{{ hostvars['isar']['k8s_auth_verify_ssl'] }}" 101 | 102 | state: absent 103 | definition: 104 | apiVersion: v1 105 | kind: Secret 106 | metadata: 107 | name: installer-auth-backup 108 | namespace: "{{ target_namespace }}" 109 | 110 | - name: Delete project 111 | when: cluster_custom_namespace is not defined 112 | ignore_errors: true 113 | redhat.openshift.k8s: 114 | api_key: "{{ hostvars['isar']['k8s_auth_api_key'] }}" 115 | host: "{{ hostvars['isar']['k8s_auth_host'] }}" 116 | validate_certs: "{{ hostvars['isar']['k8s_auth_verify_ssl'] }}" 117 | 118 | state: absent 119 | definition: 120 | kind: Project 121 | apiVersion: project.openshift.io/v1 122 | metadata: 123 | name: "{{ target_namespace }}" 124 | 125 | - name: Delete cluster authentfication in Vault 126 | community.hashi_vault.vault_kv2_delete: 127 | url: "{{ lookup('ansible.builtin.env', 'RH_VAULT_URL' ) }}" 128 | auth_method: approle 129 | role_id: "{{ lookup('ansible.builtin.env', 'RH_VAULT_ROLE_ID' ) }}" 130 | secret_id: "{{ lookup('ansible.builtin.env', 'RH_VAULT_SECRET_ID' ) }}" 131 | ca_cert: "{{ lookup('ansible.builtin.env', 'RH_VAULT_CA_CERT_FILENAME' ) }}" 132 | engine_mount_point: apps 133 | 134 | path: "coe-lab/cluster-credential/stormshift-{{ inventory_hostname }}" 135 | 136 | # - name: Delete cluster authentfication in AAP 137 | # awx.awx.credential: 138 | # name: "{{ inventory_hostname }}" 139 | # organization: stormshift 140 | # state: absent 141 | # credential_type: "OpenShift Cluster v1" 142 | -------------------------------------------------------------------------------- /roles/cluster/tasks/destroy-vm.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: "Destroy VM {{ target_namespace }}/{{ vm_name }}" 4 | ignore_errors: true 5 | kubevirt.core.kubevirt_vm: 6 | api_key: "{{ hostvars['isar']['k8s_auth_api_key'] }}" 7 | host: "{{ hostvars['isar']['k8s_auth_host'] }}" 8 | validate_certs: "{{ hostvars['isar']['k8s_auth_verify_ssl'] }}" 9 | 10 | state: absent 11 | wait: true 12 | name: "{{ vm_name }}" 13 | namespace: "{{ target_namespace }}" 14 | -------------------------------------------------------------------------------- /roles/cluster/tasks/download-openshift-artifacts.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Build OpenShift download urls 4 | ansible.builtin.set_fact: 5 | tmp_openshift_install_download_url: "{{ openshift_location }}/openshift-install-linux-{{ openshift_version }}.tar.gz" 6 | tmp_openshift_client_download_url: "{{ openshift_location }}/openshift-client-linux-{{ openshift_version }}.tar.gz" 7 | 8 | - name: Init check_urls 9 | ansible.builtin.set_fact: 10 | check_urls: 11 | - "{{ tmp_openshift_install_download_url }}" 12 | - "{{ tmp_openshift_client_download_url }}" 13 | 14 | - name: Filter check_urls 15 | ansible.builtin.set_fact: 16 | check_urls: "{{ check_urls|select|list }}" 17 | 18 | - name: Check download urls 19 | ansible.builtin.uri: 20 | method: HEAD 21 | url: "{{ item }}" 22 | status_code: 23 | - 200 24 | # Forbidden because of github forwards to aws s3. 25 | # HEAD request to S3 is forbidden 26 | - 403 27 | with_items: "{{ check_urls }}" 28 | 29 | - name: Create OpenShift artifacts directory 30 | ansible.builtin.file: 31 | path: "{{ item }}" 32 | state: directory 33 | mode: u+rwx,g+rx,o+rx 34 | with_items: 35 | - "{{ openshift_install_dest }}" 36 | 37 | - name: Download OpenShift installer 38 | ansible.builtin.unarchive: 39 | src: "{{ tmp_openshift_install_download_url }}" 40 | dest: "{{ openshift_install_dest }}/" 41 | remote_src: yes 42 | mode: u+rwx,g+rx,o+rx 43 | exclude: 44 | - 'README.md' 45 | creates: "{{ openshift_install_dest }}/openshift-install" 46 | 47 | - name: Download OpenShift client 48 | ansible.builtin.unarchive: 49 | src: "{{ tmp_openshift_client_download_url }}" 50 | dest: "{{ openshift_install_dest }}/" 51 | remote_src: yes 52 | mode: u+rwx,g+rx,o+rx 53 | exclude: 54 | - 'README.md' 55 | creates: "{{ openshift_install_dest }}/oc" 56 | -------------------------------------------------------------------------------- /roles/cluster/tasks/import-in-acm.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create Namespace 3 | kubernetes.core.k8s: 4 | state: present 5 | definition: 6 | apiVersion: v1 7 | kind: Namespace 8 | metadata: 9 | labels: 10 | name: "{{ cluster_name }}" 11 | 12 | - name: Slurp kubeconfig 13 | ansible.builtin.slurp: 14 | src: "{{ openshift_install_dir }}/auth/kubeconfig" 15 | register: slurp_kubeconfig 16 | 17 | - name: Create auto-import-secret 18 | kubernetes.core.k8s: 19 | state: present 20 | definition: 21 | apiVersion: v1 22 | kind: Secret 23 | metadata: 24 | name: auto-import-secret 25 | namespace: "{{ cluster_name }}" 26 | stringData: 27 | autoImportRetry: "5" 28 | kubeconfig: "{{ slurp_kubeconfig['content'] | b64decode }}" 29 | server: "https://api.{{ cluster_name }}.{{ base_domain}}:6443" 30 | type: Opaque 31 | 32 | - name: Create ManagedCluster 33 | kubernetes.core.k8s: 34 | state: present 35 | definition: 36 | apiVersion: cluster.open-cluster-management.io/v1 37 | kind: ManagedCluster 38 | metadata: 39 | name: "{{ cluster_name }}" 40 | labels: 41 | cloud: auto-detect 42 | vendor: auto-detect 43 | cluster.open-cluster-management.io/clusterset: rbohne 44 | spec: 45 | hubAcceptsClient: true 46 | 47 | -------------------------------------------------------------------------------- /roles/cluster/tasks/post-configuration.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Fetch kubeconfig from vault 3 | ansible.builtin.include_role: 4 | name: internal-fetch-kubeconfig 5 | 6 | - name: Apply Red Hat Root CA 7 | kubernetes.core.k8s: 8 | kubeconfig: "{{ cluster_access_kubeconfig }}" 9 | 10 | state: present 11 | definition: 12 | apiVersion: v1 13 | data: 14 | ca-bundle.crt: | 15 | -----BEGIN CERTIFICATE----- 16 | MIIENDCCAxygAwIBAgIJANunI0D662cnMA0GCSqGSIb3DQEBCwUAMIGlMQswCQYD 17 | VQQGEwJVUzEXMBUGA1UECAwOTm9ydGggQ2Fyb2xpbmExEDAOBgNVBAcMB1JhbGVp 18 | Z2gxFjAUBgNVBAoMDVJlZCBIYXQsIEluYy4xEzARBgNVBAsMClJlZCBIYXQgSVQx 19 | GzAZBgNVBAMMElJlZCBIYXQgSVQgUm9vdCBDQTEhMB8GCSqGSIb3DQEJARYSaW5m 20 | b3NlY0ByZWRoYXQuY29tMCAXDTE1MDcwNjE3MzgxMVoYDzIwNTUwNjI2MTczODEx 21 | WjCBpTELMAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYD 22 | VQQHDAdSYWxlaWdoMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRMwEQYDVQQLDApS 23 | ZWQgSGF0IElUMRswGQYDVQQDDBJSZWQgSGF0IElUIFJvb3QgQ0ExITAfBgkqhkiG 24 | 9w0BCQEWEmluZm9zZWNAcmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP 25 | ADCCAQoCggEBALQt9OJQh6GC5LT1g80qNh0u50BQ4sZ/yZ8aETxt+5lnPVX6MHKz 26 | bfwI6nO1aMG6j9bSw+6UUyPBHP796+FT/pTS+K0wsDV7c9XvHoxJBJJU38cdLkI2 27 | c/i7lDqTfTcfLL2nyUBd2fQDk1B0fxrskhGIIZ3ifP1Ps4ltTkv8hRSob3VtNqSo 28 | GxkKfvD2PKjTPxDPWYyruy9irLZioMffi3i/gCut0ZWtAyO3MVH5qWF/enKwgPES 29 | X9po+TdCvRB/RUObBaM761EcrLSM1GqHNueSfqnho3AjLQ6dBnPWlo638Zm1VebK 30 | BELyhkLWMSFkKwDmne0jQ02Y4g075vCKvCsCAwEAAaNjMGEwHQYDVR0OBBYEFH7R 31 | 4yC+UehIIPeuL8Zqw3PzbgcZMB8GA1UdIwQYMBaAFH7R4yC+UehIIPeuL8Zqw3Pz 32 | bgcZMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB 33 | CwUAA4IBAQBDNvD2Vm9sA5A9AlOJR8+en5Xz9hXcxJB5phxcZQ8jFoG04Vshvd0e 34 | LEnUrMcfFgIZ4njMKTQCM4ZFUPAieyLx4f52HuDopp3e5JyIMfW+KFcNIpKwCsak 35 | oSoKtIUOsUJK7qBVZxcrIyeQV2qcYOeZhtS5wBqIwOAhFwlCET7Ze58QHmS48slj 36 | S9K0JAcps2xdnGu0fkzhSQxY8GPQNFTlr6rYld5+ID/hHeS76gq0YG3q6RLWRkHf 37 | 4eTkRjivAlExrFzKcljC4axKQlnOvVAzz+Gm32U0xPBF4ByePVxCJUHw1TsyTmel 38 | RxNEp7yHoXcwn+fXna+t5JWh1gxUZty3 39 | -----END CERTIFICATE----- 40 | -----BEGIN CERTIFICATE----- 41 | MIIGcjCCBFqgAwIBAgIFICIEEFwwDQYJKoZIhvcNAQEMBQAwgaMxCzAJBgNVBAYT 42 | AlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEQMA4GA1UEBwwHUmFsZWlnaDEW 43 | MBQGA1UECgwNUmVkIEhhdCwgSW5jLjETMBEGA1UECwwKUmVkIEhhdCBJVDEZMBcG 44 | A1UEAwwQSW50ZXJuYWwgUm9vdCBDQTEhMB8GCSqGSIb3DQEJARYSaW5mb3NlY0By 45 | ZWRoYXQuY29tMCAXDTIzMDQwNTE4MzM0NFoYDzIwNTIwNDAyMTgzMzQ0WjCBozEL 46 | MAkGA1UEBhMCVVMxFzAVBgNVBAgMDk5vcnRoIENhcm9saW5hMRAwDgYDVQQHDAdS 47 | YWxlaWdoMRYwFAYDVQQKDA1SZWQgSGF0LCBJbmMuMRMwEQYDVQQLDApSZWQgSGF0 48 | IElUMRkwFwYDVQQDDBBJbnRlcm5hbCBSb290IENBMSEwHwYJKoZIhvcNAQkBFhJp 49 | bmZvc2VjQHJlZGhhdC5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC 50 | AQCxuloEVglzWXZ9FFFUOSVdpRIB2jW5YBpwgMem2fPZeWIIvrVQ6PL9XNenDOXu 51 | BHbShD/PApxi/ujSZyOIjLsNh7WDO+0NqpkfTyB9wUYAhx3GTIGY75RSoyZy1yKb 52 | ZDTKv+rSfui9IlstAMz6L3OQLZES9zAYK8ICiDUwTeNZ7quA6qf0Kam2LyuBc/bl 53 | BI7WFLOGGWY135P1OUXJgnJUsMhnYMTgvZQyJ2P7eLQpiR8TOr5ZI6CYapiyG64L 54 | nkr/rsALjSxoUo09Yai1CVO66VFJ/XgMNt3mzQtLDMPXiKUuwsBsgvo4QvLjkXYI 55 | ii+/YQyQaypsKctG8mefKkTT1kRDKj4LNdTRRgd5tco+b4+O/4upt8mIsx1+tbdM 56 | LNGEz3Jqd0sj8Fl4Rzus+W+enzXmMfZH86X6bU5tMvueuFd5LV+M9XzliscaEQMK 57 | EQ7CC72ldrOK2K12Gjb7bu8dKq+aSlNuWK+Gz1NvbwYpaCBYp0JoryvHEq5jrCLP 58 | lTkuJQ3HaaAf+4LaBm8no9xK2VbDf6l/7Htb5I5LnAAZi0/5TzH07NhHoIeMSmTE 59 | Ea07i/i5lbhM2qbx6pfLukg24HLCKTdi4Fo6/JqPWH6/3eI55NsoWSmoDdTiLg4v 60 | 1G/rgUVr2N6F36GTYMGqiITvvd4Qm3i9XOTQvsx8RJx4JQIDAQABo4GoMIGlMB0G 61 | A1UdDgQWBBS1+o3lCnihCZXbTSGGlWpZT0nIizAfBgNVHSMEGDAWgBS1+o3lCnih 62 | CZXbTSGGlWpZT0nIizAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAR 63 | BglghkgBhvhCAQEEBAMCAQYwLwYDVR0fBCgwJjAkoCKgIIYeaHR0cDovL29jc3Au 64 | cmVkaGF0LmNvbS9jcmwucGVtMA0GCSqGSIb3DQEBDAUAA4ICAQCDLaGTS0g2HmMS 65 | g0i6Z0RVDC7sSnWFgEk2ZO1WUQj5WkFVS7gWxed/mXCzeL2EV1Pd22YKHM1eU1vo 66 | 6b03cbNRXlRGGFksmQeM9h2sVjbP0hRZxqqfI+UW223N8E+qK3wSa8m6nhOfIJie 67 | DD9s8CdL1VT6l4qq2gR8mVBW7EZ+Ux5u+AMXpN4WPEkcLer2djbfhXoPsJ4r5CcX 68 | vh7W5rCZbo+0oBI5hrTlG4Tjhv1atqLhMmssjn8NbRrnhrbGF7w8NxFts69GkKDB 69 | UIXr1pWZSAuRELlIxmvh5ZSX5YTbFmDuTvmNx8RPPy6OY4W1v1BUKp0HyJTi07s2 70 | 8SN+n9htHPHX9XBZctQmOSFLiqhi15LIqI54tR2tSgwH3Z5moh4sy6MuApXstsu4 71 | qtkII2KZk3SottI8MOS6zqKrU7jPou6ZE0fznNiu23Q3Ksuuj6mBkLVw3bQe68Vm 72 | NUTDac1oVzc8d5NMbx5kVb4Lahq+SATVFC8NK9G/Pk1AiwO8WhKffySsLeO5nMib 73 | 4BOVq0qFoAi8YCFuJOl9FlH1dPW/TnqlTQMQNhXpzGjU3HV3lr/Mk+ghNgIYcLcz 74 | pEBsiGwKOVW4nYKIqPLn/36Ao/kfXeAdJhaAZq1SkTbeqNiwHQm3KNHzNObmjD0f 75 | 56vmq8fwQYIcazjrygWiaOnoep/SMw== 76 | -----END CERTIFICATE----- 77 | kind: ConfigMap 78 | metadata: 79 | name: redhat-current-it-root-cas 80 | namespace: openshift-config 81 | 82 | - name: Configure Red Hat Root CA 83 | kubernetes.core.k8s: 84 | kubeconfig: "{{ cluster_access_kubeconfig }}" 85 | 86 | state: present 87 | definition: 88 | apiVersion: config.openshift.io/v1 89 | kind: Proxy 90 | metadata: 91 | name: cluster 92 | spec: 93 | trustedCA: 94 | name: redhat-current-it-root-cas 95 | -------------------------------------------------------------------------------- /roles/cluster/tasks/remove-from-acm.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Remove ManagedCluster 4 | tags: acm 5 | kubernetes.core.k8s: 6 | state: absent 7 | wait: true 8 | definition: 9 | apiVersion: cluster.open-cluster-management.io/v1 10 | kind: ManagedCluster 11 | metadata: 12 | name: "{{ cluster_name }}" 13 | labels: 14 | cloud: auto-detect 15 | vendor: auto-detect 16 | cluster.open-cluster-management.io/clusterset: rbohne 17 | spec: 18 | hubAcceptsClient: true 19 | 20 | 21 | - name: Remove Namespace 22 | tags: acm 23 | kubernetes.core.k8s: 24 | state: absent 25 | wait: true 26 | definition: 27 | apiVersion: v1 28 | kind: Namespace 29 | metadata: 30 | labels: 31 | name: "{{ cluster_name }}" 32 | 33 | 34 | -------------------------------------------------------------------------------- /roles/cluster/templates/agent-config.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1alpha1 2 | kind: AgentConfig 3 | metadata: 4 | name: {{ inventory_hostname }} 5 | rendezvousIP: {{ control_plans[0]['vm_network_ip_address'] }} 6 | hosts: 7 | {% for host in control_plans %} 8 | - hostname: {{ inventory_hostname }}-cp-{{ loop.index - 1 }} 9 | role: master 10 | interfaces: 11 | - name: eth0 12 | macAddress: {{ host.vm_network_mac_address }} 13 | networkConfig: 14 | interfaces: 15 | - name: eth0 16 | type: ethernet 17 | state: up 18 | mtu: 1450 19 | mac-address: {{ host.vm_network_mac_address }} 20 | ipv4: 21 | enabled: true 22 | address: 23 | - ip: {{ host.vm_network_ip_address }} 24 | prefix-length: {{ network_ip_address_prefix_length }} 25 | dhcp: false 26 | dns-resolver: 27 | config: 28 | server: 29 | {% for dns in network_dns_servers %} 30 | - {{ dns }} 31 | {% endfor %} 32 | routes: 33 | config: 34 | - destination: 0.0.0.0/0 35 | next-hop-address: {{ network_default_gw }} 36 | next-hop-interface: eth0 37 | table-id: 254 38 | {% endfor %} 39 | {% for host in workers | default([]) %} 40 | - hostname: {{ inventory_hostname }}-worker-{{ loop.index - 1 }} 41 | role: worker 42 | interfaces: 43 | - name: eth0 44 | macAddress: {{ host.vm_network_mac_address }} 45 | networkConfig: 46 | interfaces: 47 | - name: eth0 48 | type: ethernet 49 | state: up 50 | mtu: 1450 51 | mac-address: {{ host.vm_network_mac_address }} 52 | ipv4: 53 | enabled: true 54 | address: 55 | - ip: {{ host.vm_network_ip_address }} 56 | prefix-length: {{ network_ip_address_prefix_length }} 57 | dhcp: false 58 | dns-resolver: 59 | config: 60 | server: 61 | {% for dns in network_dns_servers %} 62 | - {{ dns }} 63 | {% endfor %} 64 | routes: 65 | config: 66 | - destination: 0.0.0.0/0 67 | next-hop-address: {{ network_default_gw }} 68 | next-hop-interface: eth0 69 | table-id: 254 70 | {% endfor %} -------------------------------------------------------------------------------- /roles/cluster/templates/install-config.yaml.j2: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | baseDomain: {{ cluster_base_domain }} 3 | cpuPartitioningMode: {{ cluster_cpuPartitioningMode }} 4 | compute: 5 | - architecture: amd64 6 | hyperthreading: Enabled 7 | name: worker 8 | platform: {} 9 | replicas: {{ workers| default([]) | length }} 10 | controlPlane: 11 | architecture: amd64 12 | hyperthreading: Enabled 13 | name: master 14 | platform: {} 15 | replicas: {{ control_plans | length }} 16 | metadata: 17 | creationTimestamp: null 18 | name: {{ inventory_hostname }} 19 | networking: 20 | clusterNetwork: 21 | - cidr: 10.128.0.0/14 22 | hostPrefix: 23 23 | machineNetwork: 24 | - cidr: {{ network }}/{{ network_ip_address_prefix_length }} 25 | networkType: OVNKubernetes 26 | serviceNetwork: 27 | - 172.30.0.0/16 28 | {% if cluster_api_vip is defined %} 29 | platform: 30 | baremetal: 31 | apiVIPs: 32 | - "{{ cluster_api_vip }}" 33 | ingressVIPs: 34 | - "{{ cluster_ingress_vip }}" 35 | {% else %} 36 | platform: 37 | none: {} 38 | {% endif %} 39 | publish: External 40 | 41 | {% if cluster_capabilities is defined %} 42 | capabilities: 43 | {{ cluster_capabilities | to_nice_yaml(indent=2, sort_keys=false) | indent(2,true) }} 44 | {% endif %} 45 | 46 | pullSecret: 47 | '{{ image_pull_secret }}' 48 | sshKey: | 49 | {{ lookup('ansible.builtin.env', 'SSH_PUBLIC_KEY' ) }} 50 | 51 | 52 | {% if cluster_imagesource is defined %} 53 | {{ cluster_imagesource | to_nice_yaml(indent=0, sort_keys=false) | indent(0,true) }} 54 | {% endif %} 55 | 56 | {% if cluster_additionalTrustBundle is defined %} 57 | additionalTrustBundle: | 58 | {{lookup('file', '{{ cluster_additionalTrustBundle }}') | indent(2,true) }} 59 | {% endif %} 60 | -------------------------------------------------------------------------------- /roles/cluster/tests/inventory: -------------------------------------------------------------------------------- 1 | localhost 2 | 3 | -------------------------------------------------------------------------------- /roles/cluster/tests/test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: localhost 3 | remote_user: root 4 | roles: 5 | - sno_on_kubevirt 6 | -------------------------------------------------------------------------------- /roles/cluster/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for sno_on_kubevirt 3 | -------------------------------------------------------------------------------- /roles/feature-coe-sso/defaults/main.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | cluster_hcp_namespace: "clusters" 3 | cluster_hcp_name: "{{ inventory_hostname }}" 4 | cluster_hcp_prefix: "stormshift-" 5 | -------------------------------------------------------------------------------- /roles/feature-coe-sso/tasks/fetch-cluster-information.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Get child cluster access 3 | community.hashi_vault.vault_kv2_get: 4 | url: "{{ lookup('ansible.builtin.env', 'RH_VAULT_URL' ) }}" 5 | auth_method: approle 6 | role_id: "{{ lookup('ansible.builtin.env', 'RH_VAULT_ROLE_ID' ) }}" 7 | secret_id: "{{ lookup('ansible.builtin.env', 'RH_VAULT_SECRET_ID' ) }}" 8 | ca_cert: "{{ lookup('ansible.builtin.env', 'RH_VAULT_CA_CERT_FILENAME' ) }}" 9 | engine_mount_point: apps 10 | 11 | path: "coe-lab/cluster-credential/stormshift-{{ inventory_hostname }}" 12 | register: cluster_credential 13 | 14 | - name: Temp folder 15 | ansible.builtin.tempfile: 16 | state: "directory" 17 | register: temp 18 | 19 | - name: Write kubeconfig 20 | ansible.builtin.copy: 21 | dest: "{{ temp.path }}/kubeconfig" 22 | content: "{{ cluster_credential.secret.kubeconfig }}" 23 | -------------------------------------------------------------------------------- /roles/feature-coe-sso/tasks/post-deploy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include cluster_type specific tasks 3 | ansible.builtin.include_tasks: "post-deploy-{{ cluster_type }}.yaml" 4 | 5 | - name: Add group local-cluster-reader 6 | kubernetes.core.k8s: 7 | kubeconfig: "{{ temp.path }}/kubeconfig" 8 | 9 | definition: 10 | apiVersion: user.openshift.io/v1 11 | kind: Group 12 | metadata: 13 | name: local-cluster-reader 14 | 15 | - name: Add group local-cluster-admins 16 | kubernetes.core.k8s: 17 | kubeconfig: "{{ temp.path }}/kubeconfig" 18 | 19 | definition: 20 | apiVersion: user.openshift.io/v1 21 | kind: Group 22 | metadata: 23 | name: local-cluster-admins 24 | users: "{{ 25 | local_cluster_admins | default([]) 26 | + [ 27 | tower_user_email | default('xxx') + '-admin', 28 | stormshift_owner_email | default('xxx') + '-admin' 29 | ] | reject('equalto', 'xxx-admin') }}" 30 | 31 | - name: Add cluster role coe-cluster-admins 32 | kubernetes.core.k8s: 33 | kubeconfig: "{{ temp.path }}/kubeconfig" 34 | 35 | definition: 36 | apiVersion: rbac.authorization.k8s.io/v1 37 | kind: ClusterRoleBinding 38 | metadata: 39 | name: coe-cluster-admins 40 | roleRef: 41 | apiGroup: rbac.authorization.k8s.io 42 | kind: ClusterRole 43 | name: cluster-admin 44 | subjects: 45 | - apiGroup: rbac.authorization.k8s.io 46 | kind: Group 47 | name: local-cluster-admins 48 | - apiGroup: rbac.authorization.k8s.io 49 | kind: Group 50 | name: global-cluster-admins 51 | 52 | - name: Add cluster role coe-cluster-readers 53 | kubernetes.core.k8s: 54 | kubeconfig: "{{ temp.path }}/kubeconfig" 55 | 56 | definition: 57 | apiVersion: rbac.authorization.k8s.io/v1 58 | kind: ClusterRoleBinding 59 | metadata: 60 | creationTimestamp: null 61 | name: coe-cluster-reader 62 | roleRef: 63 | apiGroup: rbac.authorization.k8s.io 64 | kind: ClusterRole 65 | name: cluster-reader 66 | subjects: 67 | - apiGroup: rbac.authorization.k8s.io 68 | kind: Group 69 | name: local-cluster-reader 70 | - apiGroup: rbac.authorization.k8s.io 71 | kind: Group 72 | name: global-cluster-reader 73 | -------------------------------------------------------------------------------- /roles/feature-coe-sso/tasks/pre-destroy-classic.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Destroy clients 3 | ignore_errors: true 4 | with_items: 5 | - coe-sso 6 | - coe-sso-admin 7 | community.general.keycloak_client: 8 | 9 | validate_certs: false 10 | auth_keycloak_url: https://sso.coe.muc.redhat.com 11 | auth_realm: master 12 | auth_username: admin 13 | auth_password: "{{ sso_admin_pw }}" 14 | 15 | realm: "{{ item }}" 16 | client_id: "oauth-openshift.apps.{{ inventory_hostname }}.{{ cluster_base_domain }}" 17 | name: "oauth-openshift.apps.{{ inventory_hostname }}.{{ cluster_base_domain }}" 18 | 19 | state: absent 20 | delegate_to: localhost 21 | -------------------------------------------------------------------------------- /roles/feature-coe-sso/tasks/pre-destroy-hosted.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Destroy clientSecret k8s secret 3 | kubernetes.core.k8s: 4 | api_key: "{{ hostvars['isar']['k8s_auth_api_key'] }}" 5 | host: "{{ hostvars['isar']['k8s_auth_host'] }}" 6 | validate_certs: "{{ hostvars['isar']['k8s_auth_verify_ssl'] }}" 7 | 8 | state: absent 9 | definition: 10 | apiVersion: v1 11 | kind: Secret 12 | type: Opaque 13 | metadata: 14 | name: "{{ cluster_hcp_name }}-openid-client-secret-coe-sso" 15 | namespace: "{{ cluster_hcp_namespace }}" 16 | 17 | - name: Remove Red Hat Root CA 18 | kubernetes.core.k8s: 19 | api_key: "{{ hostvars['isar']['k8s_auth_api_key'] }}" 20 | host: "{{ hostvars['isar']['k8s_auth_host'] }}" 21 | validate_certs: "{{ hostvars['isar']['k8s_auth_verify_ssl'] }}" 22 | 23 | state: absent 24 | definition: 25 | apiVersion: v1 26 | kind: ConfigMap 27 | metadata: 28 | name: "{{ cluster_hcp_name }}-redhat-current-it-root-cas-for-sso" 29 | namespace: "{{ cluster_hcp_namespace }}" 30 | 31 | - name: Destroy clients 32 | with_items: 33 | - coe-sso 34 | - coe-sso-admin 35 | community.general.keycloak_client: 36 | 37 | validate_certs: false 38 | auth_keycloak_url: https://sso.coe.muc.redhat.com 39 | auth_realm: master 40 | auth_username: admin 41 | auth_password: "{{ sso_admin_pw }}" 42 | 43 | realm: "{{ item }}" 44 | client_id: "oauth-{{ cluster_hcp_prefix }}{{ cluster_hcp_name }}.apps.isar.coe.muc.redhat.com" 45 | name: "oauth-{{ cluster_hcp_prefix }}{{ cluster_hcp_name }}.apps.isar.coe.muc.redhat.com" 46 | 47 | state: absent 48 | delegate_to: localhost 49 | -------------------------------------------------------------------------------- /roles/feature-coe-sso/tasks/pre-destroy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Include cluster_type specific tasks 3 | ansible.builtin.include_tasks: "pre-destroy-{{ cluster_type }}.yaml" -------------------------------------------------------------------------------- /roles/feature-external-secrets/defaults/main.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | -------------------------------------------------------------------------------- /roles/feature-external-secrets/files/OperatorConfig.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: OperatorConfig 3 | apiVersion: operator.external-secrets.io/v1alpha1 4 | metadata: 5 | name: coe 6 | namespace: external-secrets 7 | spec: 8 | affinity: {} 9 | certController: 10 | affinity: {} 11 | create: true 12 | deploymentAnnotations: {} 13 | extraArgs: {} 14 | extraEnv: [] 15 | fullnameOverride: '' 16 | image: 17 | pullPolicy: IfNotPresent 18 | repository: ghcr.io/external-secrets/external-secrets 19 | tag: '' 20 | imagePullSecrets: [] 21 | nameOverride: '' 22 | nodeSelector: {} 23 | podAnnotations: {} 24 | podLabels: {} 25 | podSecurityContext: {} 26 | priorityClassName: '' 27 | prometheus: 28 | enabled: false 29 | service: 30 | port: 8080 31 | rbac: 32 | create: true 33 | requeueInterval: 5m 34 | resources: {} 35 | securityContext: {} 36 | serviceAccount: 37 | annotations: {} 38 | create: true 39 | name: '' 40 | tolerations: [] 41 | concurrent: 1 42 | controllerClass: '' 43 | crds: 44 | createClusterExternalSecret: true 45 | createClusterSecretStore: true 46 | createOperator: true 47 | deploymentAnnotations: {} 48 | extraArgs: {} 49 | extraEnv: [] 50 | fullnameOverride: '' 51 | image: 52 | pullPolicy: IfNotPresent 53 | repository: ghcr.io/external-secrets/external-secrets 54 | tag: '' 55 | imagePullSecrets: [] 56 | installCRDs: false 57 | leaderElect: false 58 | nameOverride: '' 59 | nodeSelector: {} 60 | podAnnotations: {} 61 | podLabels: {} 62 | podSecurityContext: {} 63 | priorityClassName: '' 64 | processClusterExternalSecret: true 65 | processClusterStore: true 66 | prometheus: 67 | enabled: false 68 | service: 69 | port: 8080 70 | rbac: 71 | create: true 72 | replicaCount: 1 73 | resources: {} 74 | scopedNamespace: '' 75 | scopedRBAC: false 76 | securityContext: {} 77 | serviceAccount: 78 | annotations: {} 79 | create: true 80 | name: '' 81 | tolerations: [] 82 | webhook: 83 | affinity: {} 84 | certCheckInterval: 5m 85 | certDir: /tmp/certs 86 | create: true 87 | deploymentAnnotations: {} 88 | extraArgs: {} 89 | extraEnv: [] 90 | fullnameOverride: '' 91 | image: 92 | pullPolicy: IfNotPresent 93 | repository: ghcr.io/external-secrets/external-secrets 94 | tag: '' 95 | imagePullSecrets: [] 96 | nameOverride: '' 97 | nodeSelector: {} 98 | podAnnotations: {} 99 | podLabels: {} 100 | podSecurityContext: {} 101 | priorityClassName: '' 102 | prometheus: 103 | enabled: false 104 | service: 105 | port: 8080 106 | rbac: 107 | create: true 108 | replicaCount: 1 109 | resources: {} 110 | securityContext: {} 111 | serviceAccount: 112 | annotations: {} 113 | create: true 114 | name: '' 115 | tolerations: [] 116 | -------------------------------------------------------------------------------- /roles/feature-external-secrets/tasks/post-deploy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Fetch kubeconfig from vault 3 | ansible.builtin.include_role: 4 | name: internal-fetch-kubeconfig 5 | 6 | - name: Install External Secrets operator 7 | kubernetes.core.k8s: 8 | kubeconfig: "{{ cluster_access_kubeconfig }}" 9 | state: present 10 | definition: 11 | - kind: Namespace 12 | apiVersion: v1 13 | metadata: 14 | name: external-secrets 15 | 16 | - kind: Secret 17 | apiVersion: v1 18 | metadata: 19 | name: redhat-vault 20 | namespace: external-secrets 21 | data: 22 | token: "{{ lookup('ansible.builtin.env', 'RH_VAULT_SECRET_ID' )| b64encode }}" 23 | type: Opaque 24 | 25 | - kind: Subscription 26 | apiVersion: operators.coreos.com/v1alpha1 27 | metadata: 28 | name: external-secrets-operator 29 | namespace: openshift-operators 30 | spec: 31 | channel: alpha 32 | installPlanApproval: Automatic 33 | name: external-secrets-operator 34 | source: community-operators 35 | sourceNamespace: openshift-marketplace 36 | 37 | - name: Wait for operator pod to be ready 38 | kubernetes.core.k8s_info: 39 | kubeconfig: "{{ cluster_access_kubeconfig }}" 40 | kind: Deployment 41 | name: external-secrets-operator-controller-manager 42 | namespace: openshift-operators 43 | wait: yes 44 | wait_timeout: 300 45 | wait_condition: 46 | type: Available 47 | status: True 48 | reason: MinimumReplicasAvailable 49 | 50 | - name: Configure External Secrets operator 51 | kubernetes.core.k8s: 52 | kubeconfig: "{{ cluster_access_kubeconfig }}" 53 | state: present 54 | src: OperatorConfig.yaml 55 | 56 | - name: Wait for controler pods to be ready 57 | kubernetes.core.k8s_info: 58 | kubeconfig: "{{ cluster_access_kubeconfig }}" 59 | kind: Deployment 60 | # no name here, its three deployments, we wait for all of them to become Available 61 | namespace: external-secrets 62 | wait: yes 63 | wait_timeout: 300 64 | wait_condition: 65 | type: Available 66 | status: True 67 | reason: MinimumReplicasAvailable 68 | 69 | - name: Create ClusterSecretStore 70 | kubernetes.core.k8s: 71 | kubeconfig: "{{ cluster_access_kubeconfig }}" 72 | state: present 73 | wait: yes 74 | wait_timeout: 300 75 | wait_condition: 76 | type: Ready 77 | status: True 78 | reason: Valid 79 | definition: 80 | kind: ClusterSecretStore 81 | apiVersion: external-secrets.io/v1beta1 82 | metadata: 83 | name: redhat-vault 84 | spec: 85 | provider: 86 | vault: 87 | auth: 88 | appRole: 89 | path: approle 90 | roleId: "{{ lookup('ansible.builtin.env', 'RH_VAULT_ROLE_ID' ) }}" 91 | secretRef: 92 | key: token 93 | name: redhat-vault 94 | namespace: external-secrets 95 | caProvider: 96 | key: ca-bundle.crt 97 | name: redhat-current-it-root-cas 98 | namespace: openshift-config 99 | type: ConfigMap 100 | path: apps 101 | server: "{{ lookup('ansible.builtin.env', 'RH_VAULT_URL' ) }}" 102 | version: v2 103 | -------------------------------------------------------------------------------- /roles/feature-external-secrets/tasks/pre-destroy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Fetch kubeconfig from vault 3 | ansible.builtin.include_role: 4 | name: internal-fetch-kubeconfig 5 | 6 | - name: Remove External Secrets CRs 7 | ignore_errors: true # fails when CRD does not exist otherwise 8 | kubernetes.core.k8s: 9 | kubeconfig: "{{ cluster_access_kubeconfig }}" 10 | state: absent 11 | wait: yes 12 | wait_timeout: 300 13 | definition: 14 | - kind: ClusterSecretStore 15 | apiVersion: external-secrets.io/v1beta1 16 | metadata: 17 | name: redhat-vault 18 | 19 | - kind: OperatorConfig 20 | apiVersion: operator.external-secrets.io/v1alpha1 21 | metadata: 22 | name: coe 23 | namespace: external-secrets 24 | 25 | - name: Remove ClusterServiceVersion 26 | kubernetes.core.k8s: 27 | kubeconfig: "{{ cluster_access_kubeconfig }}" 28 | state: absent 29 | delete_all: true 30 | wait: yes 31 | wait_timeout: 300 32 | kind: ClusterServiceVersion 33 | api_version: operators.coreos.com/v1alpha1 34 | namespace: openshift-operators 35 | label_selectors: 36 | - operators.coreos.com/external-secrets-operator.openshift-operators 37 | 38 | - name: Remove Subscription and Namespace 39 | kubernetes.core.k8s: 40 | kubeconfig: "{{ cluster_access_kubeconfig }}" 41 | state: absent 42 | wait: yes 43 | wait_timeout: 300 44 | definition: 45 | - kind: Subscription 46 | apiVersion: operators.coreos.com/v1alpha1 47 | metadata: 48 | name: external-secrets-operator 49 | namespace: openshift-operators 50 | - kind: Namespace 51 | apiVersion: v1 52 | metadata: 53 | name: external-secrets 54 | 55 | - name: Remove CRDs 56 | kubernetes.core.k8s: 57 | kubeconfig: "{{ cluster_access_kubeconfig }}" 58 | state: absent 59 | delete_all: true 60 | wait: yes 61 | wait_timeout: 300 62 | kind: CustomResourceDefinition 63 | api_version: apiextensions.k8s.io/v1 64 | label_selectors: 65 | - operators.coreos.com/external-secrets-operator.openshift-operators 66 | -------------------------------------------------------------------------------- /roles/feature-kubevirt-csi/README.md: -------------------------------------------------------------------------------- 1 | # Future ansible role to install kubevirt-csi 2 | 3 | Righnow only documenation how to deploy 4 | 5 | High level: 6 | 7 | ![](https://github.com/kubevirt/csi-driver/raw/main/docs/high-level-diagram.svg) 8 | 9 | 10 | * Controller is deployed in infra cluster 11 | 12 | ## Controller deployment at infra 13 | 14 | ```bash 15 | 16 | oc create secret generic tenant-cluster --from-file=value=$HOME/Devel/github.com/stormshift/automation/ocp1/auth/kubeconfig 17 | 18 | oc apply -f - <{{ acm_hub_clustername }}< from ACM" 3 | tags: acm 4 | ignore_errors: true 5 | kubernetes.core.k8s: 6 | api_key: "{{ hostvars['isar']['k8s_auth_api_key'] }}" 7 | host: "{{ hostvars['isar']['k8s_auth_host'] }}" 8 | validate_certs: "{{ hostvars['isar']['k8s_auth_verify_ssl'] }}" 9 | 10 | state: absent 11 | wait: true 12 | definition: 13 | apiVersion: cluster.open-cluster-management.io/v1 14 | kind: ManagedCluster 15 | metadata: 16 | name: "{{ acm_hub_clustername }}" 17 | 18 | 19 | # This is usually done by ACM, 20 | # but we might need it in case ACM failed for some reasons: 21 | - name: "Remove Project >{{ acm_hub_clustername }}< from HubCluster" 22 | tags: acm 23 | ignore_errors: true 24 | redhat.openshift.k8s: 25 | api_key: "{{ hostvars['isar']['k8s_auth_api_key'] }}" 26 | host: "{{ hostvars['isar']['k8s_auth_host'] }}" 27 | validate_certs: "{{ hostvars['isar']['k8s_auth_verify_ssl'] }}" 28 | 29 | state: absent 30 | apply: false 31 | definition: 32 | kind: Project 33 | apiVersion: project.openshift.io/v1 34 | metadata: 35 | name: "{{ acm_hub_clustername }}" 36 | -------------------------------------------------------------------------------- /roles/feature-redhat-internal-certificate/defaults/main.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | cluster_hcp_namespace: "clusters" 3 | cluster_hcp_name: "{{ inventory_hostname }}" 4 | cluster_hcp_prefix: "stormshift-" 5 | -------------------------------------------------------------------------------- /roles/feature-redhat-internal-certificate/tasks/post-deploy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: "Request certificate" 3 | vars: 4 | common_name: "api.{{ inventory_hostname }}.{{ cluster_base_domain }}" 5 | subject_alt_name: "DNS:api.{{ inventory_hostname }}.{{ cluster_base_domain }},DNS:*.apps.{{ inventory_hostname }}.{{ cluster_base_domain }}" 6 | 7 | ansible.builtin.include_role: 8 | name: req-cert-vault 9 | 10 | - name: Fetch kubeconfig from vault 11 | ansible.builtin.include_role: 12 | name: internal-fetch-kubeconfig 13 | 14 | 15 | - name: Fetch cluster certificate 16 | community.hashi_vault.vault_kv2_get: 17 | url: "{{ lookup('ansible.builtin.env', 'RH_VAULT_URL' ) }}" 18 | auth_method: approle 19 | role_id: "{{ lookup('ansible.builtin.env', 'RH_VAULT_ROLE_ID' ) }}" 20 | secret_id: "{{ lookup('ansible.builtin.env', 'RH_VAULT_SECRET_ID' ) }}" 21 | ca_cert: "{{ lookup('ansible.builtin.env', 'RH_VAULT_CA_CERT_FILENAME' ) }}" 22 | engine_mount_point: apps 23 | 24 | path: "coe-lab/certificate/api.{{ inventory_hostname }}.{{ cluster_base_domain }}" 25 | register: certificate 26 | # certificate.secret.cert_and_intermediate_pem 27 | # certificate.secret.key 28 | 29 | - name: Apply certificate 30 | kubernetes.core.k8s: 31 | kubeconfig: "{{ cluster_access_kubeconfig }}" 32 | 33 | state: present 34 | definition: 35 | apiVersion: v1 36 | stringData: 37 | tls.crt: "{{ certificate.secret.cert_and_intermediate_pem }}" 38 | tls.key: "{{ certificate.secret.key }}" 39 | immutable: false 40 | kind: Secret 41 | metadata: 42 | name: redhat-cluster-certificate 43 | namespace: openshift-ingress 44 | type: kubernetes.io/tls 45 | 46 | - name: Apply certificate 47 | kubernetes.core.k8s: 48 | kubeconfig: "{{ cluster_access_kubeconfig }}" 49 | state: present 50 | definition: 51 | apiVersion: operator.openshift.io/v1 52 | kind: IngressController 53 | metadata: 54 | name: default 55 | namespace: openshift-ingress-operator 56 | spec: 57 | defaultCertificate: 58 | name: redhat-cluster-certificate 59 | wait: yes 60 | register: apply_cert 61 | 62 | 63 | - name: Wait for IngressController to start Progressing 64 | when: apply_cert is changed 65 | kubernetes.core.k8s_info: 66 | kubeconfig: "{{ cluster_access_kubeconfig }}" 67 | kind: IngressController 68 | name: default 69 | namespace: openshift-ingress-operator 70 | wait: yes 71 | wait_timeout: 480 72 | wait_condition: 73 | type: Progressing 74 | status: True 75 | 76 | - name: Wait for IngressController to be stable again 77 | kubernetes.core.k8s_info: 78 | kubeconfig: "{{ cluster_access_kubeconfig }}" 79 | kind: IngressController 80 | name: default 81 | namespace: openshift-ingress-operator 82 | wait: yes 83 | wait_timeout: 480 84 | wait_condition: 85 | type: Progressing 86 | status: False 87 | 88 | - name: Wait for API to be stable again 89 | kubernetes.core.k8s_info: 90 | kubeconfig: "{{ cluster_access_kubeconfig }}" 91 | kind: ClusterOperator 92 | name: kube-apiserver 93 | namespace: openshift-ingress-operator 94 | wait: yes 95 | wait_timeout: 480 96 | wait_condition: 97 | type: Progressing 98 | status: False 99 | -------------------------------------------------------------------------------- /roles/feature-redhat-internal-certificate/tasks/pre-destroy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | -------------------------------------------------------------------------------- /roles/feature-rhoai/defaults/main.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file 3 | rhods_operator_channel: fast 4 | service_mesh_operator_channel: stable 5 | serverless_operator_channel: stable 6 | certmgr_operator_channel: stable-v1 7 | 8 | kserve_manifest_url: "https://github.com/kserve/kserve/releases/download/v0.14.1/kserve.yaml" 9 | -------------------------------------------------------------------------------- /roles/feature-rhoai/tasks/pre-destroy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # Nothing to implement here 3 | -------------------------------------------------------------------------------- /roles/feature-workload-partitioning/defaults/main.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | wrkld: 3 | cpu: 4 | reserved: "0-1" 5 | isolated: "2-3" 6 | kernel: 7 | realtime: false 8 | -------------------------------------------------------------------------------- /roles/feature-workload-partitioning/tasks/post-deploy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Fetch kubeconfig from vault 3 | ansible.builtin.include_role: 4 | name: internal-fetch-kubeconfig 5 | 6 | - name: Create Performance Profile 7 | register: performanceProfile 8 | kubernetes.core.k8s: 9 | kubeconfig: "{{ cluster_access_kubeconfig }}" 10 | state: present 11 | definition: 12 | # See https://docs.openshift.com/container-platform/4.17/scalability_and_performance/enabling-workload-partitioning.html#sample-performance-profile-configuration 13 | apiVersion: performance.openshift.io/v2 14 | kind: PerformanceProfile 15 | metadata: 16 | name: openshift-node-performance-profile 17 | spec: 18 | cpu: 19 | isolated: "{{ wrkld.cpu.isolated }}" 20 | reserved: "{{ wrkld.cpu.reserved }}" 21 | machineConfigPoolSelector: 22 | pools.operator.machineconfiguration.openshift.io/master: "" 23 | nodeSelector: 24 | node-role.kubernetes.io/master: "" 25 | realTimeKernel: 26 | enabled: "{{ wrkld.kernel.realtime }}" 27 | workloadHints: 28 | realTime: false 29 | highPowerConsumption: false 30 | perPodPowerManagement: false 31 | 32 | - name: Wait for machineconfig pool to start Updating 33 | when: performanceProfile is changed 34 | kubernetes.core.k8s_info: 35 | kubeconfig: "{{ cluster_access_kubeconfig }}" 36 | kind: MachineConfigPool 37 | name: master 38 | api_version: machineconfiguration.openshift.io/v1 39 | wait: yes 40 | wait_timeout: 300 41 | wait_condition: 42 | type: Updating 43 | status: True 44 | 45 | - name: Wait for machineconfig pool to stop Updating 46 | when: performanceProfile is changed 47 | # Need hard retries here, as on SNO, API becomes unavailable during reboot, 48 | # which makes the k8s_info module fail: 49 | retries: 60 50 | delay: 10 51 | register: result 52 | until: result is not failed 53 | kubernetes.core.k8s_info: 54 | kubeconfig: "{{ cluster_access_kubeconfig }}" 55 | kind: MachineConfigPool 56 | name: master 57 | api_version: machineconfiguration.openshift.io/v1 58 | wait: yes 59 | wait_timeout: 10 60 | wait_condition: 61 | type: Updating 62 | status: False 63 | -------------------------------------------------------------------------------- /roles/feature-workload-partitioning/tasks/pre-destroy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Fetch kubeconfig from vault 3 | ansible.builtin.include_role: 4 | name: internal-fetch-kubeconfig 5 | vars: 6 | internal_fetch_kubeconfig_ignore_erros: true 7 | 8 | - name: Remove Performance profile 9 | ignore_errors: true 10 | when: cluster_access_kubeconfig is defined and stormshift_cluster_action != "destroy" 11 | kubernetes.core.k8s: 12 | kubeconfig: "{{ cluster_access_kubeconfig }}" 13 | state: absent 14 | definition: 15 | apiVersion: performance.openshift.io/v2 16 | kind: PerformanceProfile 17 | metadata: 18 | name: openshift-node-performance-profile 19 | -------------------------------------------------------------------------------- /roles/internal-fetch-kubeconfig/defaults/main.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | internal_fetch_kubeconfig_ignore_erros: false -------------------------------------------------------------------------------- /roles/internal-fetch-kubeconfig/tasks/main.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Get child cluster access 4 | ignore_errors: "{{ internal_fetch_kubeconfig_ignore_erros }}" 5 | community.hashi_vault.vault_kv2_get: 6 | url: "{{ lookup('ansible.builtin.env', 'RH_VAULT_URL' ) }}" 7 | auth_method: approle 8 | role_id: "{{ lookup('ansible.builtin.env', 'RH_VAULT_ROLE_ID' ) }}" 9 | secret_id: "{{ lookup('ansible.builtin.env', 'RH_VAULT_SECRET_ID' ) }}" 10 | ca_cert: "{{ lookup('ansible.builtin.env', 'RH_VAULT_CA_CERT_FILENAME' ) }}" 11 | engine_mount_point: apps 12 | 13 | path: "coe-lab/cluster-credential/stormshift-{{ inventory_hostname }}" 14 | register: cluster_credential 15 | 16 | - name: Temp folder 17 | when: cluster_credential is not failed 18 | ansible.builtin.tempfile: 19 | state: "directory" 20 | register: temp 21 | changed_when: False 22 | 23 | - name: Set cluster_access_kubeconfig 24 | when: cluster_credential is not failed 25 | ansible.builtin.set_fact: 26 | cluster_access_kubeconfig: "{{ temp.path }}/kubeconfig" 27 | 28 | - name: Write kubeconfig 29 | when: cluster_credential is not failed 30 | ansible.builtin.copy: 31 | dest: "{{ cluster_access_kubeconfig }}" 32 | content: "{{ cluster_credential.secret.kubeconfig }}" 33 | changed_when: False 34 | -------------------------------------------------------------------------------- /roles/req-cert-vault/defaults/main.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ca_url: "https://ca2.corp.redhat.com" 3 | ca_profile: caDirServerCert-coe-lab-mgmt-domains 4 | 5 | # Retrieve certifcate again 6 | # 3 Monate = 2628000 sekunden 7 | # 12 Monate = 31536000 sekunden 8 | renew_in_seconds: 2628000 9 | 10 | sent_email: false -------------------------------------------------------------------------------- /roles/req-cert-vault/tasks/main.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Get certificate from Vault 3 | community.hashi_vault.vault_kv2_get: 4 | url: "{{ lookup('ansible.builtin.env', 'RH_VAULT_URL' ) }}" 5 | auth_method: approle 6 | role_id: "{{ lookup('ansible.builtin.env', 'RH_VAULT_ROLE_ID' ) }}" 7 | secret_id: "{{ lookup('ansible.builtin.env', 'RH_VAULT_SECRET_ID' ) }}" 8 | ca_cert: "{{ lookup('ansible.builtin.env', 'RH_VAULT_CA_CERT_FILENAME' ) }}" 9 | engine_mount_point: apps 10 | 11 | path: "coe-lab/certificate/{{ common_name }}" 12 | register: certificate 13 | ignore_errors: true 14 | 15 | - name: Certificate does not exist or is to old request on 16 | ansible.builtin.include_tasks: request-cert.yaml 17 | when: certificate.failed or (( (certificate.secret.not_after_epoch|int) - (now().strftime('%s')|int) ) < renew_in_seconds) 18 | 19 | - name: Include optional E-Mail sent 20 | ansible.builtin.include_tasks: sent-email.yaml 21 | when: sent_email -------------------------------------------------------------------------------- /roles/req-cert-vault/tasks/request-cert.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Temp folder 3 | ansible.builtin.tempfile: 4 | state: "directory" 5 | suffix: "{{ common_name }}" 6 | register: temp 7 | 8 | - name: Generate Private Key 9 | community.crypto.openssl_privatekey: 10 | path: "{{ temp.path }}/key" 11 | size: 4096 12 | register: private_key 13 | 14 | - name: Slurp private key 15 | ansible.builtin.slurp: 16 | src: "{{private_key.filename}}" 17 | register: private_key_file 18 | 19 | - name: Generate Certificate Signing Request 20 | community.crypto.openssl_csr: 21 | path: "{{ common_name }}.csr" 22 | privatekey_path: "{{private_key.filename}}" 23 | use_common_name_for_san: true 24 | # subject_alt_name: 'DNS:www.ansible.com,DNS:m.ansible.com' 25 | subject_alt_name: "{{ subject_alt_name }}" 26 | common_name: "{{ common_name }}" 27 | organizational_unit_name: "coe-lab-muc" 28 | return_content: true 29 | register: csr 30 | 31 | - name: Request Certificate 32 | ansible.builtin.uri: 33 | url: "{{ca_url}}/ca/rest/certrequests" 34 | method: POST 35 | body_format: json 36 | validate_certs: false 37 | headers: 38 | Accept: 'application/json' 39 | body: 40 | Renewal: false 41 | ProfileID: "{{ca_profile}}" 42 | Attributes: 43 | Attribute: 44 | - name: "uid" 45 | value: "{{ lookup('ansible.builtin.env', 'RHCA_USER' ) }}" 46 | - name: "pwd" 47 | value: "{{ lookup('ansible.builtin.env', 'RHCA_PASS' ) }}" 48 | Input: 49 | - id: i1 50 | ClassID: certReqInputImpl 51 | Name: "Certificate Request Input" 52 | Attribute: 53 | - name: "cert_request_type" 54 | Value: "pkcs10" 55 | - name: cert_request 56 | Value: "{{csr.csr}}" 57 | register: crt_req 58 | 59 | - name: Retrieve Certificate 60 | ansible.builtin.uri: 61 | url: "{{crt_req.json.entries[0].certURL}}" 62 | method: GET 63 | body_format: json 64 | validate_certs: false 65 | headers: 66 | Accept: 'application/json' 67 | register: crt 68 | 69 | - name: Write pkcs7 70 | ansible.builtin.copy: 71 | content: | 72 | -----BEGIN PKCS7----- 73 | {{ crt.json.PKCS7CertChain -}} 74 | -----END PKCS7----- 75 | dest: "{{ temp.path }}/pkcs7" 76 | 77 | - name: Convert pkcs7 into full-chain.pem 78 | ansible.builtin.command: 79 | chdir: "{{ temp.path }}" 80 | cmd: "openssl pkcs7 -print_certs -in pkcs7 -out full-chain.pem" 81 | 82 | - name: Extract full-chain.pem 83 | ansible.builtin.set_fact: 84 | full_chain: "{{ lookup('ansible.builtin.file', '{{ temp.path }}/full-chain.pem') | community.crypto.split_pem }}" 85 | 86 | - name: Check chain lenght 87 | fail: 88 | msg: "full chain do not have expected lenth" 89 | when: full_chain | length != 3 90 | 91 | - name: Get information on generated certificate 92 | community.crypto.x509_certificate_info: 93 | content: "{{full_chain[0]}}" 94 | register: result 95 | 96 | - name: Print Cert 0 97 | ansible.builtin.debug: 98 | msg: 99 | - "Subject commonName: {{ result.subject.commonName }}" 100 | - "Issuer commonName: {{ result.issuer.commonName}}" 101 | 102 | - name: Get information on generated certificate 103 | community.crypto.x509_certificate_info: 104 | content: "{{full_chain[1]}}" 105 | register: result 106 | 107 | - name: Print Cert 1 108 | ansible.builtin.debug: 109 | msg: 110 | - "Subject commonName: {{ result.subject.commonName }}" 111 | - "Issuer commonName: {{ result.issuer.commonName}}" 112 | 113 | - name: Get information on generated certificate 114 | community.crypto.x509_certificate_info: 115 | content: "{{full_chain[2]}}" 116 | register: result 117 | 118 | - name: Print Cert 2 119 | ansible.builtin.debug: 120 | msg: 121 | - "Subject commonName: {{ result.subject.commonName }}" 122 | - "Issuer commonName: {{ result.issuer.commonName}}" 123 | 124 | - name: Store the cert data in Red Hat Vault 125 | community.hashi_vault.vault_kv2_write: 126 | url: "{{ lookup('ansible.builtin.env', 'RH_VAULT_URL' ) }}" 127 | auth_method: approle 128 | role_id: "{{ lookup('ansible.builtin.env', 'RH_VAULT_ROLE_ID' ) }}" 129 | secret_id: "{{ lookup('ansible.builtin.env', 'RH_VAULT_SECRET_ID' ) }}" 130 | ca_cert: "{{ lookup('ansible.builtin.env', 'RH_VAULT_CA_CERT_FILENAME' ) }}" 131 | engine_mount_point: apps 132 | 133 | path: "coe-lab/certificate/{{ common_name }}" 134 | data: 135 | common_name: "{{ common_name }}" 136 | subject_alt_name: "{{ subject_alt_name }}" 137 | not_after_epoch: "{{ (crt.json.NotAfter | to_datetime('%a %b %d %H:%M:%S %Z %Y')).strftime('%s') }}" 138 | root_ca_pem: "{{full_chain[2]}}" 139 | cert_pem: "{{full_chain[0]}}" 140 | intermediate_pem: "{{full_chain[1]}}" 141 | cert_and_intermediate_pem: | 142 | {{full_chain[0]}} 143 | {{full_chain[1]}} 144 | pkcs7: | 145 | -----BEGIN PKCS7----- 146 | {{ crt.json.PKCS7CertChain -}} 147 | -----END PKCS7----- 148 | key: "{{ private_key_file.content | b64decode }}" 149 | -------------------------------------------------------------------------------- /roles/req-cert-vault/tasks/sent-email.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Get certificate from Vault 3 | community.hashi_vault.vault_kv2_get: 4 | url: "{{ lookup('ansible.builtin.env', 'RH_VAULT_URL' ) }}" 5 | auth_method: approle 6 | role_id: "{{ lookup('ansible.builtin.env', 'RH_VAULT_ROLE_ID' ) }}" 7 | secret_id: "{{ lookup('ansible.builtin.env', 'RH_VAULT_SECRET_ID' ) }}" 8 | ca_cert: "{{ lookup('ansible.builtin.env', 'RH_VAULT_CA_CERT_FILENAME' ) }}" 9 | engine_mount_point: apps 10 | 11 | path: "coe-lab/certificate/{{ common_name }}" 12 | register: certificate 13 | 14 | - name: E-Mail temp folder 15 | ansible.builtin.tempfile: 16 | state: "directory" 17 | suffix: "{{ common_name }}" 18 | register: email_temp 19 | 20 | - name: Write files into E-Mail temp 21 | with_items: 22 | - { key: 'root_ca_pem', filename: 'root_ca.pem' } 23 | - { key: pkcs7, filename: cert.pkcs7 } 24 | - { key: key, filename: cert-key.pem } 25 | - { key: cert_pem, filename: cert.pem } 26 | - { key: intermediate_pem, filename: intermediate.pem } 27 | - { key: cert_and_intermediate_pem, filename: cert_and_intermediate.pem } 28 | ansible.builtin.copy: 29 | content: "{{ certificate.secret[item.key] }}" 30 | dest: "{{ email_temp.path }}/{{ item.filename }}" 31 | 32 | - name: Sent E-Mail to requester 33 | community.general.mail: 34 | host: smtp.corp.redhat.com 35 | port: 25 36 | subject: "Requested Munich COE Lab Certificate ({{ common_name }})" 37 | body: | 38 | Hello {{ tower_user_name }}, 39 | 40 | attached your requested certificates. 41 | 42 | Regards 43 | COE Lab Team 44 | 45 | from: "coe-lab-stormshift-notifications@redhat.com" 46 | to: "{{ tower_user_name }} <{{ tower_user_email }}>" 47 | attach: 48 | - "{{ email_temp.path }}/root_ca.pem" 49 | - "{{ email_temp.path }}/cert.pkcs7" 50 | - "{{ email_temp.path }}/cert-key.pem" 51 | - "{{ email_temp.path }}/cert.pem" 52 | - "{{ email_temp.path }}/intermediate.pem" 53 | - "{{ email_temp.path }}/cert_and_intermediate.pem" 54 | -------------------------------------------------------------------------------- /roles/ushift_ostree_on_kubevirt/README.md: -------------------------------------------------------------------------------- 1 | Role Name 2 | ========= 3 | 4 | A brief description of the role goes here. 5 | 6 | Requirements 7 | ------------ 8 | 9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. 10 | 11 | Role Variables 12 | -------------- 13 | 14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. 15 | 16 | Dependencies 17 | ------------ 18 | 19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. 20 | 21 | Example Playbook 22 | ---------------- 23 | 24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: 25 | 26 | - hosts: servers 27 | roles: 28 | - { role: username.rolename, x: 42 } 29 | 30 | License 31 | ------- 32 | 33 | BSD 34 | 35 | Author Information 36 | ------------------ 37 | 38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed). 39 | -------------------------------------------------------------------------------- /roles/ushift_ostree_on_kubevirt/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | artifacts_dir: "{{ playbook_dir }}" 3 | vm_cores: 2 4 | vm_memory: "4Gi" 5 | vm_disk: "32Gi" 6 | -------------------------------------------------------------------------------- /roles/ushift_ostree_on_kubevirt/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for sno_on_kubevirt 3 | -------------------------------------------------------------------------------- /roles/ushift_ostree_on_kubevirt/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: your name 3 | description: your role description 4 | company: your company (optional) 5 | 6 | # If the issue tracker for your role is not on github, uncomment the 7 | # next line and provide a value 8 | # issue_tracker_url: http://example.com/issue/tracker 9 | 10 | # Choose a valid license ID from https://spdx.org - some suggested licenses: 11 | # - BSD-3-Clause (default) 12 | # - MIT 13 | # - GPL-2.0-or-later 14 | # - GPL-3.0-only 15 | # - Apache-2.0 16 | # - CC-BY-4.0 17 | license: license (GPL-2.0-or-later, MIT, etc) 18 | 19 | min_ansible_version: 2.1 20 | 21 | # If this a Container Enabled role, provide the minimum Ansible Container version. 22 | # min_ansible_container_version: 23 | 24 | # 25 | # Provide a list of supported platforms, and for each platform a list of versions. 26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'. 27 | # To view available platforms and versions (or releases), visit: 28 | # https://galaxy.ansible.com/api/v1/platforms/ 29 | # 30 | # platforms: 31 | # - name: Fedora 32 | # versions: 33 | # - all 34 | # - 25 35 | # - name: SomePlatform 36 | # versions: 37 | # - all 38 | # - 1.0 39 | # - 7 40 | # - 99.99 41 | 42 | galaxy_tags: [] 43 | # List tags for your role here, one per line. A tag is a keyword that describes 44 | # and categorizes the role. Users find roles by searching for tags. Be sure to 45 | # remove the '[]' above, if you add tags to this list. 46 | # 47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 48 | # Maximum 20 tags per role. 49 | 50 | dependencies: [] 51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above, 52 | # if you add dependencies to this list. 53 | -------------------------------------------------------------------------------- /roles/ushift_ostree_on_kubevirt/tasks/100-create.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Configure DHCP 4 | ansible.builtin.include_tasks: 110-create-dhcp.yml 5 | tags: dhcp 6 | 7 | - name: Configure DNS 8 | ansible.builtin.include_tasks: 120-create-dns.yml 9 | tags: dns 10 | 11 | - name: Create VM 12 | ansible.builtin.include_tasks: 130-create-vm.yml 13 | tags: vm 14 | -------------------------------------------------------------------------------- /roles/ushift_ostree_on_kubevirt/tasks/110-create-dhcp.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Configure DHCP 4 | tags: dhcp 5 | delegate_to: "{{ sysctx_network_dhcp }}" 6 | throttle: 1 7 | blockinfile: 8 | path: /etc/dhcp/dhcpd-dfroehli-edge.conf 9 | marker: "# {mark} ANSIBLE MANAGED {{inventory_hostname}}" 10 | # append_newline: true 11 | # prepend_newline: true 12 | block: | 13 | host {{inventory_hostname}} { 14 | hardware ethernet {{ network_mac_address }}; 15 | fixed-address {{ network_ip_address }}; 16 | option host-name "{{inventory_hostname}}"; 17 | option domain-name "{{ sysctx_dns_domain }}"; 18 | ddns-hostname "{{ inventory_hostname }}.{{ sysctx_dns_domain }}"; 19 | filename "{{ ushift_uefi_boot_file }}"; 20 | } 21 | register: dhcp 22 | 23 | - name: Restart DHCP 24 | run_once: true 25 | tags: dhcp 26 | delegate_to: "{{ sysctx_network_dhcp }}" 27 | service: 28 | name: dhcpd 29 | enabled: yes 30 | state: restarted 31 | when: dhcp is changed 32 | -------------------------------------------------------------------------------- /roles/ushift_ostree_on_kubevirt/tasks/120-create-dns.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: "Configure DNS A records for {{ inventory_hostname }} -> {{ network_ip_address }}" 3 | tags: dns 4 | local_action: 5 | module: community.general.ipa_dnsrecord 6 | zone_name: "{{ sysctx_dns_domain }}" 7 | record_type: A 8 | record_name: "{{ item }}" 9 | record_value: "{{ network_ip_address }}" 10 | state: present 11 | ipa_host: "{{ sysctx_network_dns }}" 12 | ipa_user: "{{ lookup('ansible.builtin.env', 'IPA_USER' ) }}" 13 | ipa_pass: "{{ lookup('ansible.builtin.env', 'IPA_PASS' ) }}" 14 | validate_certs: false 15 | with_items: 16 | - "{{ inventory_hostname }}" 17 | - "*.apps.{{ inventory_hostname }}" 18 | 19 | - name: "Configure DNS PTR records {{ network_ip_address }} -> {{ inventory_hostname }}" 20 | tags: dns 21 | local_action: 22 | module: community.general.ipa_dnsrecord 23 | zone_name: "{{ sysctx_dns_domain_reverse }}" 24 | record_type: PTR 25 | # reverse domain recod name needs to be reversed. 26 | # From aa.bb.cc.dd this is dd.cc 27 | record_name: "{{ network_ip_address.split('.')[3]|int }}.{{ network_ip_address.split('.')[2]|int }}" 28 | record_value: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}." 29 | state: present 30 | ipa_host: "{{ sysctx_network_dns }}" 31 | ipa_user: "{{ lookup('ansible.builtin.env', 'IPA_USER' ) }}" 32 | ipa_pass: "{{ lookup('ansible.builtin.env', 'IPA_PASS' ) }}" 33 | validate_certs: false 34 | -------------------------------------------------------------------------------- /roles/ushift_ostree_on_kubevirt/tasks/130-create-vm.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Create MicroShift VM "{{ ushift_virt_namespace }}/{{ inventory_hostname }}" 3 | tags: vm 4 | throttle: 4 5 | local_action: 6 | module: kubevirt.core.kubevirt_vm 7 | api_key: "{{ hostvars['isar']['k8s_auth_api_key'] }}" 8 | host: "{{ hostvars['isar']['k8s_auth_host'] }}" 9 | validate_certs: "{{ hostvars['isar']['k8s_auth_verify_ssl'] }}" 10 | state: present 11 | running: true # default 12 | wait: true 13 | wait_timeout: 480 14 | name: "{{ inventory_hostname }}" 15 | labels: 16 | vm_group: "{{ group_names[0] }}" 17 | namespace: "{{ ushift_virt_namespace }}" 18 | spec: 19 | # We want to be co-located with img bld where the ostree-commits 20 | # are being served from, and we make this required because imgbld 21 | # has to run for this demo to work: 22 | # affinity: 23 | # podAffinity: 24 | # requiredDuringSchedulingIgnoredDuringExecution: 25 | # - labelSelector: 26 | # matchExpressions: 27 | # - key: vm.kubevirt.io/name 28 | # operator: In 29 | # values: 30 | # - ushift-imgbld 31 | # topologyKey: kubernetes.io/hostname 32 | # For larger fleets, we want to have anti-affinity to distribute across nodes, to better leverage 33 | # network resource: 34 | affinity: 35 | podAntiAffinity: 36 | preferredDuringSchedulingIgnoredDuringExecution: 37 | - weight: 100 38 | podAffinityTerm: 39 | labelSelector: 40 | matchExpressions: 41 | - key: vm_group 42 | operator: In 43 | values: 44 | - "{{ group_names[0] }}" 45 | topologyKey: kubernetes.io/hostname 46 | domain: 47 | cpu: 48 | cores: "{{ vm_cores }}" 49 | sockets: 1 50 | threads: 1 51 | memory: 52 | guest: "{{vm_memory}}" 53 | resources: 54 | requests: 55 | memory: "{{vm_memory}}" 56 | cpu: "{{ vm_cores*1000 * 0.5}}m" 57 | features: 58 | acpi: {} 59 | smm: 60 | enabled: true 61 | firmware: 62 | bootloader: 63 | efi: 64 | secureBoot: false 65 | persistent: true 66 | # kernelBoot: 67 | # kernelArgs: --- test me later --- 68 | machine: 69 | type: q35 70 | devices: 71 | disks: 72 | - disk: 73 | bus: virtio 74 | name: root-disk 75 | bootOrder: 1 76 | interfaces: 77 | - bridge: {} 78 | macAddress: "{{network_mac_address}}" 79 | model: virtio 80 | name: net-0 81 | bootOrder: 2 82 | tpm: 83 | persistent: true 84 | clock: 85 | timezone: Etc/GMT 86 | networks: 87 | - multus: 88 | networkName: coe-bridge 89 | name: net-0 90 | volumes: 91 | - dataVolume: 92 | name: "{{ inventory_hostname }}-root" 93 | name: root-disk 94 | data_volume_templates: 95 | - metadata: 96 | name: "{{ inventory_hostname }}-root" 97 | spec: 98 | storage: 99 | storageClassName: "{{ushift_vm_storageclass}}" 100 | accessModes: 101 | - ReadWriteMany 102 | volumeMode: Block 103 | resources: 104 | requests: 105 | storage: "{{ vm_disk }}" 106 | source: 107 | blank: {} 108 | 109 | - name: Wait for VM to be online 110 | local_action: 111 | module: ansible.builtin.wait_for 112 | host: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}" 113 | port: 22 114 | state: started 115 | sleep: 2 116 | timeout: 1200 117 | 118 | - name: Wait for MicroShift to be online 119 | local_action: 120 | module: ansible.builtin.wait_for 121 | host: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}" 122 | port: 443 123 | state: started 124 | sleep: 2 125 | timeout: 300 126 | -------------------------------------------------------------------------------- /roles/ushift_ostree_on_kubevirt/tasks/200-destroy.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Destroy VM 4 | ansible.builtin.include_tasks: 210-destroy-vm.yml 5 | tags: vm 6 | 7 | - name: Remove DNS records 8 | ansible.builtin.include_tasks: 220-destroy-dns.yml 9 | tags: dns 10 | 11 | - name: Remove DHCP records 12 | ansible.builtin.include_tasks: 230-destroy-dhcp.yml 13 | tags: dhcp 14 | -------------------------------------------------------------------------------- /roles/ushift_ostree_on_kubevirt/tasks/210-destroy-vm.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Remove MicroShift VM 4 | tags: vm 5 | local_action: 6 | module: kubevirt.core.kubevirt_vm 7 | api_key: "{{ hostvars['isar']['k8s_auth_api_key'] }}" 8 | host: "{{ hostvars['isar']['k8s_auth_host'] }}" 9 | validate_certs: "{{ hostvars['isar']['k8s_auth_verify_ssl'] }}" 10 | state: absent 11 | wait: true 12 | name: "{{ inventory_hostname }}" 13 | namespace: "{{ ushift_virt_namespace }}" 14 | -------------------------------------------------------------------------------- /roles/ushift_ostree_on_kubevirt/tasks/220-destroy-dns.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: "Remove DNS A records for {{ inventory_hostname }} -> {{ network_ip_address }}" 3 | tags: dns 4 | local_action: 5 | module: community.general.ipa_dnsrecord 6 | zone_name: "{{ sysctx_dns_domain }}" 7 | record_type: A 8 | record_name: "{{ item }}" 9 | record_value: "{{ network_ip_address }}" 10 | state: absent 11 | ipa_host: "{{ sysctx_network_dns }}" 12 | ipa_user: "{{ lookup('ansible.builtin.env', 'IPA_USER' ) }}" 13 | ipa_pass: "{{ lookup('ansible.builtin.env', 'IPA_PASS' ) }}" 14 | validate_certs: false 15 | with_items: 16 | - "{{ inventory_hostname }}" 17 | - "*.apps.{{ inventory_hostname }}" 18 | 19 | - name: Remove DNS PTR records 20 | tags: dns 21 | local_action: 22 | module: community.general.ipa_dnsrecord 23 | zone_name: "{{ sysctx_dns_domain_reverse }}" 24 | record_type: PTR 25 | # reverse domain recod name needs to be reversed. 26 | # From aa.bb.cc.dd this is dd.cc 27 | record_name: "{{ network_ip_address.split('.')[3]|int }}.{{ network_ip_address.split('.')[2]|int }}" 28 | record_value: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}." 29 | state: absent 30 | ipa_host: "{{ sysctx_network_dns }}" 31 | ipa_user: "{{ lookup('ansible.builtin.env', 'IPA_USER' ) }}" 32 | ipa_pass: "{{ lookup('ansible.builtin.env', 'IPA_PASS' ) }}" 33 | validate_certs: false 34 | -------------------------------------------------------------------------------- /roles/ushift_ostree_on_kubevirt/tasks/230-destroy-dhcp.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Remove DHCP 4 | tags: dhcp 5 | delegate_to: "{{ sysctx_network_dhcp }}" 6 | throttle: 1 7 | blockinfile: 8 | path: /etc/dhcp/dhcpd-dfroehli-edge.conf 9 | marker: "# {mark} ANSIBLE MANAGED {{inventory_hostname}}" 10 | state: absent 11 | block: | 12 | host {{inventory_hostname}} { 13 | hardware ethernet {{ network_mac_address }}; 14 | fixed-address {{ network_ip_address }}; 15 | option host-name "{{inventory_hostname}}"; 16 | option domain-name "{{ sysctx_dns_domain }}"; 17 | ddns-hostname "{{ inventory_hostname }}.{{ sysctx_dns_domain }}"; 18 | filename "{{ ushift_uefi_boot_file }}"; 19 | } 20 | register: dhcp 21 | 22 | - name: Restart DHCP 23 | run_once: true 24 | tags: dhcp 25 | delegate_to: "{{ sysctx_network_dhcp }}" 26 | service: 27 | name: dhcpd 28 | enabled: yes 29 | state: restarted 30 | when: dhcp is changed 31 | -------------------------------------------------------------------------------- /roles/ushift_ostree_on_kubevirt/tests/inventory: -------------------------------------------------------------------------------- 1 | localhost 2 | 3 | -------------------------------------------------------------------------------- /roles/ushift_ostree_on_kubevirt/tests/test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: localhost 3 | remote_user: root 4 | roles: 5 | - sno_on_kubevirt 6 | -------------------------------------------------------------------------------- /roles/ushift_ostree_on_kubevirt/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for sno_on_kubevirt 3 | -------------------------------------------------------------------------------- /roles/ushift_rpm_on_kubevirt/README.md: -------------------------------------------------------------------------------- 1 | Role Name 2 | ========= 3 | 4 | A brief description of the role goes here. 5 | 6 | Requirements 7 | ------------ 8 | 9 | Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. 10 | 11 | Role Variables 12 | -------------- 13 | 14 | A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. 15 | 16 | Dependencies 17 | ------------ 18 | 19 | A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. 20 | 21 | Example Playbook 22 | ---------------- 23 | 24 | Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: 25 | 26 | - hosts: servers 27 | roles: 28 | - { role: username.rolename, x: 42 } 29 | 30 | License 31 | ------- 32 | 33 | BSD 34 | 35 | Author Information 36 | ------------------ 37 | 38 | An optional section for the role authors to include contact information, or a website (HTML is not allowed). 39 | -------------------------------------------------------------------------------- /roles/ushift_rpm_on_kubevirt/defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # defaults file for sno_on_kubevirt 3 | 4 | artifacts_dir: "{{ playbook_dir }}" 5 | -------------------------------------------------------------------------------- /roles/ushift_rpm_on_kubevirt/handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # handlers file for sno_on_kubevirt 3 | -------------------------------------------------------------------------------- /roles/ushift_rpm_on_kubevirt/meta/main.yml: -------------------------------------------------------------------------------- 1 | galaxy_info: 2 | author: your name 3 | description: your role description 4 | company: your company (optional) 5 | 6 | # If the issue tracker for your role is not on github, uncomment the 7 | # next line and provide a value 8 | # issue_tracker_url: http://example.com/issue/tracker 9 | 10 | # Choose a valid license ID from https://spdx.org - some suggested licenses: 11 | # - BSD-3-Clause (default) 12 | # - MIT 13 | # - GPL-2.0-or-later 14 | # - GPL-3.0-only 15 | # - Apache-2.0 16 | # - CC-BY-4.0 17 | license: license (GPL-2.0-or-later, MIT, etc) 18 | 19 | min_ansible_version: 2.1 20 | 21 | # If this a Container Enabled role, provide the minimum Ansible Container version. 22 | # min_ansible_container_version: 23 | 24 | # 25 | # Provide a list of supported platforms, and for each platform a list of versions. 26 | # If you don't wish to enumerate all versions for a particular platform, use 'all'. 27 | # To view available platforms and versions (or releases), visit: 28 | # https://galaxy.ansible.com/api/v1/platforms/ 29 | # 30 | # platforms: 31 | # - name: Fedora 32 | # versions: 33 | # - all 34 | # - 25 35 | # - name: SomePlatform 36 | # versions: 37 | # - all 38 | # - 1.0 39 | # - 7 40 | # - 99.99 41 | 42 | galaxy_tags: [] 43 | # List tags for your role here, one per line. A tag is a keyword that describes 44 | # and categorizes the role. Users find roles by searching for tags. Be sure to 45 | # remove the '[]' above, if you add tags to this list. 46 | # 47 | # NOTE: A tag is limited to a single word comprised of alphanumeric characters. 48 | # Maximum 20 tags per role. 49 | 50 | dependencies: [] 51 | # List your role dependencies here, one per line. Be sure to remove the '[]' above, 52 | # if you add dependencies to this list. 53 | -------------------------------------------------------------------------------- /roles/ushift_rpm_on_kubevirt/tasks/100-create.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Configure DHCP 4 | ansible.builtin.include_tasks: 110-create-dhcp.yml 5 | tags: dhcp 6 | 7 | - name: Configure DNS 8 | ansible.builtin.include_tasks: 120-create-dns.yml 9 | tags: dns 10 | 11 | - name: Create VM 12 | ansible.builtin.include_tasks: 130-create-vm.yml 13 | tags: vm 14 | 15 | - name: Preinstall MicroShift 16 | ansible.builtin.include_tasks: 150-ushift-preinstall-rpm.yml 17 | tags: pre 18 | 19 | - name: Install MicroShift 20 | ansible.builtin.include_tasks: 160-ushift-install-rpm.yml 21 | tags: install 22 | 23 | - name: Postinstall MicroShift 24 | ansible.builtin.include_tasks: 170-ushift-postinstall-rpm.yml 25 | tags: post,acm 26 | -------------------------------------------------------------------------------- /roles/ushift_rpm_on_kubevirt/tasks/110-create-dhcp.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Configure DHCP 4 | tags: dhcp 5 | throttle: 1 6 | delegate_to: "{{ sysctx_network_dhcp }}" 7 | blockinfile: 8 | path: /etc/dhcp/dhcpd-dfroehli-edge.conf 9 | marker: "# {mark} ANSIBLE MANAGED {{inventory_hostname}}" 10 | # append_newline: true 11 | # prepend_newline: true 12 | block: | 13 | host {{inventory_hostname}} { 14 | hardware ethernet {{ network_mac_address }}; 15 | fixed-address {{ network_ip_address }}; 16 | option host-name "{{inventory_hostname}}"; 17 | option domain-name "{{ sysctx_dns_domain }}"; 18 | ddns-hostname "{{ inventory_hostname }}.{{ sysctx_dns_domain }}"; 19 | } 20 | register: dhcp 21 | 22 | - name: Restart DHCP 23 | tags: dhcp 24 | run_once: true 25 | delegate_to: "{{ sysctx_network_dhcp }}" 26 | service: 27 | name: dhcpd 28 | enabled: yes 29 | state: restarted 30 | when: dhcp is changed 31 | -------------------------------------------------------------------------------- /roles/ushift_rpm_on_kubevirt/tasks/120-create-dns.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: "Configure DNS A records for {{ inventory_hostname }} -> {{ network_ip_address }}" 3 | tags: dns 4 | local_action: 5 | module: community.general.ipa_dnsrecord 6 | zone_name: "{{ sysctx_dns_domain }}" 7 | record_type: A 8 | record_name: "{{ item }}" 9 | record_value: "{{ network_ip_address }}" 10 | state: present 11 | ipa_host: "{{ sysctx_network_dns }}" 12 | ipa_user: "{{ lookup('ansible.builtin.env', 'IPA_USER' ) }}" 13 | ipa_pass: "{{ lookup('ansible.builtin.env', 'IPA_PASS' ) }}" 14 | validate_certs: false 15 | with_items: 16 | - "{{ inventory_hostname }}" 17 | - "*.apps.{{ inventory_hostname }}" 18 | 19 | - name: "Configure DNS PTR records {{ network_ip_address }} -> {{ inventory_hostname }}" 20 | tags: dns 21 | local_action: 22 | module: community.general.ipa_dnsrecord 23 | zone_name: "{{ sysctx_dns_domain_reverse }}" 24 | record_type: PTR 25 | # reverse domain recod name needs to be reversed. 26 | # From aa.bb.cc.dd this is dd.cc 27 | record_name: "{{ network_ip_address.split('.')[3]|int }}.{{ network_ip_address.split('.')[2]|int }}" 28 | record_value: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}." 29 | state: present 30 | ipa_host: "{{ sysctx_network_dns }}" 31 | ipa_user: "{{ lookup('ansible.builtin.env', 'IPA_USER' ) }}" 32 | ipa_pass: "{{ lookup('ansible.builtin.env', 'IPA_PASS' ) }}" 33 | validate_certs: false 34 | -------------------------------------------------------------------------------- /roles/ushift_rpm_on_kubevirt/tasks/130-create-vm.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Create MicroShift VM 4 | tags: vm 5 | local_action: 6 | module: kubevirt.core.kubevirt_vm 7 | api_key: "{{ hostvars['isar']['k8s_auth_api_key'] }}" 8 | host: "{{ hostvars['isar']['k8s_auth_host'] }}" 9 | validate_certs: "{{ hostvars['isar']['k8s_auth_verify_ssl'] }}" 10 | state: present 11 | running: true # default 12 | wait: true 13 | name: "{{ inventory_hostname }}" 14 | namespace: "{{ ushift_virt_namespace }}" 15 | spec: 16 | domain: 17 | cpu: 18 | cores: "{{ vm_cores }}" 19 | sockets: 1 20 | threads: 1 21 | memory: 22 | guest: "{{vm_memory}}" 23 | resources: 24 | requests: 25 | memory: "{{vm_memory}}" 26 | cpu: "{{ vm_cores*1000 * 0.5}}m" 27 | machine: 28 | type: q35 29 | devices: 30 | disks: 31 | - disk: 32 | bus: virtio 33 | name: root-disk 34 | interfaces: 35 | - bridge: {} 36 | macAddress: "{{network_mac_address}}" 37 | model: virtio 38 | name: net-0 39 | clock: 40 | timezone: Etc/GMT 41 | networks: 42 | - multus: 43 | networkName: coe-bridge 44 | name: net-0 45 | volumes: 46 | - dataVolume: 47 | name: "{{ inventory_hostname }}-root" 48 | name: root-disk 49 | 50 | data_volume_templates: 51 | - metadata: 52 | name: "{{ inventory_hostname }}-root" 53 | spec: 54 | storage: 55 | storageClassName: "{{ushift_vm_storageclass}}" 56 | accessModes: 57 | - ReadWriteMany 58 | volumeMode: Block 59 | resources: 60 | requests: 61 | storage: 64Gi 62 | source: 63 | pvc: 64 | namespace: stormshift-vm-templates 65 | name: "stormshift-template-{{vm_template}}-root" 66 | 67 | - name: Wait for VM to be online 68 | local_action: 69 | module: ansible.builtin.wait_for 70 | host: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}" 71 | port: 22 72 | state: started 73 | -------------------------------------------------------------------------------- /roles/ushift_rpm_on_kubevirt/tasks/160-ushift-install-rpm.yml: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # ------------------------------------------------------------------------------ 3 | # ------------------------------------------------------------------------------ 4 | - name: Install MicroShift 5 | when: ushift_actually_install 6 | tags: install, slow 7 | yum: 8 | name: 'microshift' 9 | state: present 10 | register: install 11 | 12 | - name: Enable and start MicroShift 13 | when: ushift_actually_install 14 | tags: install, slow 15 | service: 16 | name: microshift 17 | enabled: yes 18 | state: started 19 | -------------------------------------------------------------------------------- /roles/ushift_rpm_on_kubevirt/tasks/170-ushift-postinstall-rpm.yml: -------------------------------------------------------------------------------- 1 | # ------------------------------------------------------------------------------ 2 | # ------------------------------------------------------------------------------ 3 | # ------------------------------------------------------------------------------ 4 | 5 | - name: Copy kubeconfig to root user on VM 6 | when: ushift_actually_install 7 | tags: post, kubecfg 8 | copy: 9 | src: /var/lib/microshift/resources/kubeadmin/{{inventory_hostname}}.{{ sysctx_dns_domain }}/kubeconfig 10 | remote_src: true 11 | dest: /root/.kube/config 12 | mode: 600 13 | 14 | - name: Slurp kubeconfig 15 | when: ushift_actually_install 16 | tags: post, kubecfg, acm 17 | ansible.builtin.slurp: 18 | src: "/root/.kube/config" 19 | register: slurp_kubeconfig 20 | 21 | - name: Set kubeconfig 22 | when: ushift_actually_install 23 | tags: post, kubecfg, acm 24 | set_fact: 25 | ushift_kubeconfig: "{{ slurp_kubeconfig['content'] | b64decode }}" 26 | 27 | - name: Create temporary local kubeconfig file 28 | when: ushift_actually_install 29 | tags: post, kubecfg 30 | local_action: 31 | module: ansible.builtin.tempfile 32 | state: file 33 | suffix: temp 34 | register: temp_kubeconfig 35 | 36 | - name: Fetch kubeconfig from remote 37 | when: ushift_actually_install 38 | tags: post, kubecfg 39 | fetch: 40 | src: /root/.kube/config 41 | dest: "{{temp_kubeconfig.path}}" 42 | flat: true 43 | 44 | - name: Deploy VolumeSnapshotClass 45 | tags: post,vsc 46 | when: false 47 | local_action: 48 | module: kubernetes.core.k8s 49 | kubeconfig: "{{temp_kubeconfig.path}}" 50 | validate_certs: false 51 | state: present 52 | definition: "{{ lookup('template', 'templates/microshift-volumeSnapShotClass.yaml') }}" 53 | 54 | - name: Prepare VolumeSnapshotClass 55 | tags: post,vsc 56 | template: 57 | src: templates/microshift-volumeSnapShotClass.yaml 58 | dest: /root/volumeSnapshotClass.yaml 59 | 60 | - name: Deploy sample workload 61 | tags: post,sample 62 | when: ushift_actually_install and ushift_deploy_sample_workload 63 | local_action: 64 | module: kubernetes.core.k8s 65 | kubeconfig: "{{temp_kubeconfig.path}}" 66 | validate_certs: false 67 | state: present 68 | definition: "{{ lookup('template', 'templates/microshift-sample-app.yaml') }}" 69 | 70 | - name: Prepare demos 71 | tags: post,sample 72 | template: 73 | src: templates/{{item}} 74 | dest: /root/{{item}} 75 | loop: 76 | - microshift-sample-app.yaml 77 | - microshift-olm-demo.yaml 78 | - microshift-gitops-demo.yaml 79 | - microshift-sample-volumeSnapshot.yaml 80 | 81 | - name: Remove temporary local kubeconfig file 82 | when: temp_kubeconfig.path is defined 83 | tags: post, kubecfg 84 | ansible.builtin.file: 85 | path: "{{ temp_kubeconfig.path }}" 86 | state: absent 87 | -------------------------------------------------------------------------------- /roles/ushift_rpm_on_kubevirt/tasks/200-destroy.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Destroy VM 4 | ansible.builtin.include_tasks: 210-destroy-vm.yml 5 | tags: vm 6 | 7 | - name: Remove DNS records 8 | ansible.builtin.include_tasks: 220-destroy-dns.yml 9 | tags: dns 10 | 11 | - name: Remove DHCP records 12 | ansible.builtin.include_tasks: 230-destroy-dhcp.yml 13 | tags: dhcp 14 | -------------------------------------------------------------------------------- /roles/ushift_rpm_on_kubevirt/tasks/210-destroy-vm.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Remove MicroShift VM 4 | tags: vm 5 | local_action: 6 | module: kubevirt.core.kubevirt_vm 7 | api_key: "{{ hostvars['isar']['k8s_auth_api_key'] }}" 8 | host: "{{ hostvars['isar']['k8s_auth_host'] }}" 9 | validate_certs: "{{ hostvars['isar']['k8s_auth_verify_ssl'] }}" 10 | state: absent 11 | wait: true 12 | name: "{{ inventory_hostname }}" 13 | namespace: "{{ ushift_virt_namespace }}" 14 | -------------------------------------------------------------------------------- /roles/ushift_rpm_on_kubevirt/tasks/220-destroy-dns.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: "Remove DNS A records for {{ inventory_hostname }} -> {{ network_ip_address }}" 3 | tags: dns 4 | local_action: 5 | module: community.general.ipa_dnsrecord 6 | zone_name: "{{ sysctx_dns_domain }}" 7 | record_type: A 8 | record_name: "{{ item }}" 9 | record_value: "{{ network_ip_address }}" 10 | state: absent 11 | ipa_host: "{{ sysctx_network_dns }}" 12 | ipa_user: "{{ lookup('ansible.builtin.env', 'IPA_USER' ) }}" 13 | ipa_pass: "{{ lookup('ansible.builtin.env', 'IPA_PASS' ) }}" 14 | validate_certs: false 15 | with_items: 16 | - "{{ inventory_hostname }}" 17 | - "*.apps.{{ inventory_hostname }}" 18 | 19 | - name: Remove DNS PTR records 20 | tags: dns 21 | local_action: 22 | module: community.general.ipa_dnsrecord 23 | zone_name: "{{ sysctx_dns_domain_reverse }}" 24 | record_type: PTR 25 | # reverse domain recod name needs to be reversed. 26 | # From aa.bb.cc.dd this is dd.cc 27 | record_name: "{{ network_ip_address.split('.')[3]|int }}.{{ network_ip_address.split('.')[2]|int }}" 28 | record_value: "{{ inventory_hostname }}.{{ sysctx_dns_domain }}." 29 | state: absent 30 | ipa_host: "{{ sysctx_network_dns }}" 31 | ipa_user: "{{ lookup('ansible.builtin.env', 'IPA_USER' ) }}" 32 | ipa_pass: "{{ lookup('ansible.builtin.env', 'IPA_PASS' ) }}" 33 | validate_certs: false 34 | -------------------------------------------------------------------------------- /roles/ushift_rpm_on_kubevirt/tasks/230-destroy-dhcp.yml: -------------------------------------------------------------------------------- 1 | --- 2 | 3 | - name: Remove DHCP 4 | tags: dhcp 5 | throttle: 1 6 | delegate_to: "{{ sysctx_network_dhcp }}" 7 | blockinfile: 8 | path: /etc/dhcp/dhcpd-dfroehli-edge.conf 9 | marker: "# {mark} ANSIBLE MANAGED {{inventory_hostname}}" 10 | state: absent 11 | block: | 12 | host {{inventory_hostname}} { 13 | hardware ethernet {{ network_mac_address }}; 14 | fixed-address {{ network_ip_address }}; 15 | option host-name "{{inventory_hostname}}"; 16 | option domain-name "{{ sysctx_dns_domain }}"; 17 | ddns-hostname "{{ inventory_hostname }}.{{ sysctx_dns_domain }}"; 18 | } 19 | register: dhcp 20 | 21 | - name: Restart DHCP 22 | tags: dhcp 23 | run_once: true 24 | delegate_to: "{{ sysctx_network_dhcp }}" 25 | service: 26 | name: dhcpd 27 | enabled: yes 28 | state: restarted 29 | when: dhcp is changed 30 | -------------------------------------------------------------------------------- /roles/ushift_rpm_on_kubevirt/templates/microshift-app-hello.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | kind: Namespace 3 | apiVersion: v1 4 | metadata: 5 | name: demo-app 6 | --- 7 | kind: Deployment 8 | apiVersion: apps/v1 9 | metadata: 10 | annotations: 11 | name: hello-openshift 12 | namespace: demo-app 13 | spec: 14 | replicas: 1 15 | strategy: 16 | type: RollingUpdate 17 | selector: 18 | matchLabels: 19 | app: hello-openshift 20 | template: 21 | metadata: 22 | labels: 23 | app: hello-openshift 24 | spec: 25 | containers: 26 | - image: openshift/hello-openshift 27 | imagePullPolicy: IfNotPresent 28 | name: hello-openshift 29 | ports: 30 | - containerPort: 8080 31 | protocol: TCP 32 | resources: {} 33 | securityContext: 34 | allowPrivilegeEscalation: false 35 | runAsNonRoot: true 36 | capabilities: 37 | drop: 38 | - ALL 39 | # seccompProfile: 40 | # type: RuntimeDefault 41 | terminationMessagePath: /dev/termination-log 42 | terminationMessagePolicy: File 43 | volumeMounts: 44 | - mountPath: /tmp 45 | name: tmp 46 | dnsPolicy: ClusterFirst 47 | volumes: 48 | - name: tmp 49 | emptyDir: {} 50 | --- 51 | kind: Service 52 | apiVersion: v1 53 | metadata: 54 | name: hello 55 | namespace: demo-app 56 | spec: 57 | selector: 58 | app: hello-openshift 59 | ports: 60 | - protocol: TCP 61 | name: http 62 | port: 8080 63 | --- 64 | kind: Route 65 | apiVersion: route.openshift.io/v1 66 | metadata: 67 | name: hello-path 68 | namespace: demo-app 69 | spec: 70 | host: "{{inventory_hostname}}.{{ sysctx_dns_domain }}" 71 | path: "/hello" 72 | port: 73 | targetPort: http 74 | to: 75 | kind: Service 76 | name: hello 77 | weight: 100 78 | wildcardPolicy: None 79 | -------------------------------------------------------------------------------- /roles/ushift_rpm_on_kubevirt/templates/microshift-bash-history-suggestions.j2: -------------------------------------------------------------------------------- 1 | # These commands are handy for MicroShift Demos: 2 | dnf install --downloadonly microshift 3 | dnf install microshift-olm 4 | dnf install microshift-gitops 5 | dnf install microshift 6 | systemctl enable --now microshift 7 | systemctl status microshift 8 | systemctl restart microshift 9 | systemctl stop microshift crio kubepods.slice 10 | oc config set-context --current --namespace= 11 | cp -pnf /var/lib/microshift/resources/kubeadmin/kubeconfig ~/.kube/config 12 | microshift version 13 | oc get pods -A 14 | oc get nodes 15 | curl {{ inventory_hostname }}.{{ sysctx_dns_domain }}/nginx 16 | curl -L https://mirror.openshift.com/pub/openshift-v4/clients/helm/latest/helm-linux-amd64 -o helm 17 | bootc status 18 | bootc upgrade 19 | bootc upgrade --check 20 | bootc upgrade --apply 21 | bootc switch quay.coe.muc.redhat.com/shared/microshift/microshift-4.17-bootc:update 22 | -------------------------------------------------------------------------------- /roles/ushift_rpm_on_kubevirt/templates/microshift-candidate.repo: -------------------------------------------------------------------------------- 1 | # 2 | # ------ MicroShift Engineering Candidate (EC) repos 3 | # 4 | [microshift-{{ushift_preview_version}}-EC] 5 | name=MicroShift {{ushift_preview_version}} EC RPMs 6 | baseurl={{ushift_repo_ec}}/{{ushift_preview_version}}/el9/os/ 7 | enabled={%+ if ushift_repo == "EC" %}1{% else %}0{% endif %} 8 | gpgcheck=0 9 | skip_if_unavailable=0 10 | 11 | [microshift-{{ushift_preview_version}}-EC-dependencies] 12 | name=MicroShift {{ushift_preview_version}} EC Dependencies RPMs 13 | baseurl=https://mirror.openshift.com/pub/openshift-v4/x86_64/dependencies/rpms/{{ushift_preview_version_dep_ec}}/ 14 | enabled={%+ if ushift_repo == "EC" %}1{% else %}0{% endif %} 15 | gpgcheck=0 16 | skip_if_unavailable=0 17 | 18 | # 19 | # ------ MicroShift Release Candidate (RC) repos 20 | # 21 | [microshift-{{ushift_preview_version}}-RC] 22 | name=MicroShift {{ushift_preview_version}} RC RPMs 23 | baseurl={{ushift_repo_rc}}/{{ushift_preview_version}}/el9/os/ 24 | enabled={%+ if ushift_repo == "RC" %}1{% else %}0{% endif %} 25 | gpgcheck=0 26 | skip_if_unavailable=0 27 | 28 | [microshift-{{ushift_preview_version}}-RC-dependencies] 29 | name=MicroShift {{ushift_preview_version}} RC Dependencies RPMs 30 | baseurl=https://mirror.openshift.com/pub/openshift-v4/x86_64/dependencies/rpms/{{ushift_preview_version_dep_rc}}/ 31 | enabled={%+ if ushift_repo == "RC" %}1{% else %}0{% endif %} 32 | gpgcheck=0 33 | skip_if_unavailable=0 34 | -------------------------------------------------------------------------------- /roles/ushift_rpm_on_kubevirt/templates/microshift-config.yaml.j2: -------------------------------------------------------------------------------- 1 | dns: 2 | baseDomain: {{ inventory_hostname }}.{{ sysctx_dns_domain }} 3 | network: 4 | clusterNetwork: 5 | - 10.42.0.0/16 6 | serviceNetwork: 7 | - 10.43.0.0/16 8 | serviceNodePortRange: 30000-32767 9 | node: 10 | hostnameOverride: "" 11 | nodeIP: "" 12 | apiServer: 13 | subjectAltNames: [] 14 | debugging: 15 | logLevel: "Normal" 16 | -------------------------------------------------------------------------------- /roles/ushift_rpm_on_kubevirt/templates/microshift-gitops-demo.yaml: -------------------------------------------------------------------------------- 1 | kind: AppProject 2 | apiVersion: argoproj.io/v1alpha1 3 | metadata: 4 | name: default 5 | namespace: openshift-gitops 6 | spec: 7 | clusterResourceWhitelist: 8 | - group: '*' 9 | kind: '*' 10 | destinations: 11 | - namespace: '*' 12 | server: '*' 13 | sourceRepos: 14 | - '*' 15 | --- 16 | kind: Application 17 | apiVersion: argoproj.io/v1alpha1 18 | metadata: 19 | name: spring-petclinic 20 | namespace: openshift-gitops 21 | spec: 22 | destination: 23 | namespace: spring-petclinic 24 | server: https://kubernetes.default.svc 25 | project: default 26 | source: 27 | directory: 28 | recurse: true 29 | path: app 30 | repoURL: https://github.com/DanielFroehlich/openshift-gitops-getting-started 31 | syncPolicy: 32 | automated: 33 | selfHeal: true 34 | prune: true 35 | allowEmpty: true 36 | syncOptions: 37 | - CreateNamespace=true 38 | - ServerSideApply=true 39 | -------------------------------------------------------------------------------- /roles/ushift_rpm_on_kubevirt/templates/microshift-lvmd.yaml.j2: -------------------------------------------------------------------------------- 1 | socket-name: /run/lvmd/lvmd.socket 2 | device-classes: 3 | - name: default 4 | volume-group: rhel 5 | default: true 6 | spare-gb: 0 7 | type: thin 8 | thin-pool: 9 | name: thin 10 | overprovision-ratio: 10 11 | -------------------------------------------------------------------------------- /roles/ushift_rpm_on_kubevirt/templates/microshift-olm-demo.yaml: -------------------------------------------------------------------------------- 1 | kind: Namespace 2 | apiVersion: v1 3 | metadata: 4 | name: demo-app 5 | --- 6 | apiVersion: operators.coreos.com/v1alpha1 7 | kind: CatalogSource 8 | metadata: 9 | name: redhat-operators 10 | # namespace: openshift-operator-lifecycle-manager 11 | namespace: openshift-marketplace 12 | spec: 13 | sourceType: grpc 14 | image: registry.redhat.io/redhat/redhat-operator-index:v4.14 15 | displayName: Red Hat Operators 16 | publisher: Red Hat 17 | grpcPodConfig: 18 | securityContextConfig: restricted 19 | updateStrategy: 20 | registryPoll: 21 | interval: 120m 22 | --- 23 | kind: Subscription 24 | apiVersion: operators.coreos.com/v1alpha1 25 | metadata: 26 | name: datagrid-operator 27 | namespace: openshift-operators 28 | spec: 29 | channel: 8.4.x 30 | installPlanApproval: Automatic 31 | name: datagrid 32 | source: redhat-operators 33 | sourceNamespace: openshift-marketplace 34 | --- 35 | apiVersion: infinispan.org/v1 36 | kind: Infinispan 37 | metadata: 38 | name: backend-datagrid 39 | namespace: demo-app 40 | spec: 41 | service: 42 | type: DataGrid 43 | container: 44 | storage: 2Gi 45 | replicas: 2 46 | container: 47 | cpu: "2000m:10m" 48 | extraJvmOpts: '-XX:NativeMemoryTracking=summary' 49 | memory: "1G" 50 | storage: "1G" 51 | security: 52 | endpointEncryption: 53 | type: None 54 | -------------------------------------------------------------------------------- /roles/ushift_rpm_on_kubevirt/templates/microshift-registries-proxy.conf: -------------------------------------------------------------------------------- 1 | # /etc/containers/registries.conf.d/100-microshift-proxy.conf 2 | [[registry]] 3 | prefix = "quay.io/openshift-release-dev" 4 | location = "quay.coe.muc.redhat.com/proxy_quay_openshift_release/" 5 | mirror-by-digest-only = true 6 | 7 | [[registry]] 8 | prefix = "registry.redhat.io" 9 | location = "quay.coe.muc.redhat.com/proxy_redhat_io/" 10 | mirror-by-digest-only = true 11 | -------------------------------------------------------------------------------- /roles/ushift_rpm_on_kubevirt/templates/microshift-sample-app.yaml: -------------------------------------------------------------------------------- 1 | kind: Namespace 2 | apiVersion: v1 3 | metadata: 4 | name: demo-app 5 | --- 6 | kind: PersistentVolumeClaim 7 | apiVersion: v1 8 | metadata: 9 | name: sample-pvc 10 | namespace: demo-app 11 | spec: 12 | accessModes: 13 | - ReadWriteOnce 14 | resources: 15 | requests: 16 | storage: 1Gi 17 | --- 18 | kind: Deployment 19 | apiVersion: apps/v1 20 | metadata: 21 | name: sample-nginx 22 | namespace: demo-app 23 | spec: 24 | replicas: 1 25 | strategy: 26 | type: RollingUpdate 27 | selector: 28 | matchLabels: 29 | app: nginx 30 | template: 31 | metadata: 32 | labels: 33 | app: nginx 34 | spec: 35 | volumes: 36 | - name: storage 37 | persistentVolumeClaim: 38 | claimName: sample-pvc 39 | containers: 40 | - name: nginx 41 | image: nginxinc/nginx-unprivileged 42 | imagePullPolicy: IfNotPresent 43 | securityContext: 44 | allowPrivilegeEscalation: false 45 | runAsNonRoot: true 46 | capabilities: 47 | drop: 48 | - ALL 49 | seccompProfile: 50 | type: RuntimeDefault 51 | ports: 52 | - containerPort: 8080 53 | name: "http" 54 | - containerPort: 8443 55 | name: "https" 56 | volumeMounts: 57 | - mountPath: "/usr/share/nginx/html/storage" 58 | name: storage 59 | --- 60 | kind: Service 61 | apiVersion: v1 62 | metadata: 63 | name: nginx 64 | namespace: demo-app 65 | spec: 66 | selector: 67 | app: nginx 68 | ports: 69 | - protocol: TCP 70 | name: http 71 | port: 8080 72 | - protocol: TCP 73 | name: https 74 | port: 8443 75 | --- 76 | kind: Route 77 | apiVersion: route.openshift.io/v1 78 | metadata: 79 | name: nginx-path 80 | namespace: demo-app 81 | spec: 82 | host: "{{inventory_hostname}}.{{ sysctx_dns_domain }}" 83 | path: "/nginx" 84 | port: 85 | targetPort: http 86 | to: 87 | kind: Service 88 | name: nginx 89 | weight: 100 90 | wildcardPolicy: None 91 | --- 92 | kind: Route 93 | apiVersion: route.openshift.io/v1 94 | metadata: 95 | name: nginx-wild 96 | namespace: demo-app 97 | spec: 98 | port: 99 | targetPort: http 100 | to: 101 | kind: Service 102 | name: nginx 103 | weight: 100 104 | wildcardPolicy: None 105 | -------------------------------------------------------------------------------- /roles/ushift_rpm_on_kubevirt/templates/microshift-sample-volumeSnapshot.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: snapshot.storage.k8s.io/v1 2 | kind: VolumeSnapshot 3 | metadata: 4 | name: my-snap1 5 | namespace: demo-app 6 | spec: 7 | volumeSnapshotClassName: topolvm-snapclass 8 | source: 9 | persistentVolumeClaimName: sample-pvc 10 | -------------------------------------------------------------------------------- /roles/ushift_rpm_on_kubevirt/templates/microshift-volumeSnapShotClass.yaml: -------------------------------------------------------------------------------- 1 | kind: VolumeSnapshotClass 2 | apiVersion: snapshot.storage.k8s.io/v1 3 | metadata: 4 | name: topolvm-snapclass 5 | annotations: 6 | snapshot.storage.kubernetes.io/is-default-class: "true" 7 | driver: topolvm.io 8 | deletionPolicy: Delete 9 | -------------------------------------------------------------------------------- /roles/ushift_rpm_on_kubevirt/templates/tmp.yaml: -------------------------------------------------------------------------------- 1 | kind: Namespace 2 | apiVersion: v1 3 | metadata: 4 | name: demo-app 5 | --- 6 | kind: PersistentVolumeClaim 7 | apiVersion: v1 8 | metadata: 9 | name: sample-pvc 10 | namespace: demo-app 11 | spec: 12 | accessModes: 13 | - ReadWriteOnce 14 | resources: 15 | requests: 16 | storage: 1Gi 17 | --- 18 | kind: Deployment 19 | apiVersion: apps/v1 20 | metadata: 21 | name: sample-nginx 22 | namespace: demo-app 23 | spec: 24 | replicas: 1 25 | strategy: 26 | type: RollingUpdate 27 | selector: 28 | matchLabels: 29 | app: nginx 30 | template: 31 | metadata: 32 | labels: 33 | app: nginx 34 | spec: 35 | volumes: 36 | - name: storage 37 | persistentVolumeClaim: 38 | claimName: sample-pvc 39 | - name: restore 40 | persistentVolumeClaim: 41 | claimName: sample-pvc-snapshot-restore 42 | containers: 43 | - name: nginx 44 | image: nginxinc/nginx-unprivileged 45 | imagePullPolicy: IfNotPresent 46 | securityContext: 47 | allowPrivilegeEscalation: false 48 | runAsNonRoot: true 49 | capabilities: 50 | drop: 51 | - ALL 52 | seccompProfile: 53 | type: RuntimeDefault 54 | ports: 55 | - containerPort: 8080 56 | name: "http" 57 | - containerPort: 8443 58 | name: "https" 59 | volumeMounts: 60 | - mountPath: "/usr/share/nginx/html/storage" 61 | name: storage 62 | - mountPath: "/usr/share/nginx/html/restore" 63 | name: restore 64 | --- 65 | kind: Service 66 | apiVersion: v1 67 | metadata: 68 | name: nginx 69 | namespace: demo-app 70 | spec: 71 | selector: 72 | app: nginx 73 | ports: 74 | - protocol: TCP 75 | name: http 76 | port: 8080 77 | - protocol: TCP 78 | name: https 79 | port: 8443 80 | --- 81 | kind: Route 82 | apiVersion: route.openshift.io/v1 83 | metadata: 84 | name: nginx-wild 85 | namespace: demo-app 86 | spec: 87 | port: 88 | targetPort: http 89 | to: 90 | kind: Service 91 | name: nginx 92 | weight: 100 93 | wildcardPolicy: None 94 | -------------------------------------------------------------------------------- /roles/ushift_rpm_on_kubevirt/tests/inventory: -------------------------------------------------------------------------------- 1 | localhost 2 | 3 | -------------------------------------------------------------------------------- /roles/ushift_rpm_on_kubevirt/tests/test.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: localhost 3 | remote_user: root 4 | roles: 5 | - sno_on_kubevirt 6 | -------------------------------------------------------------------------------- /roles/ushift_rpm_on_kubevirt/vars/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | # vars file for sno_on_kubevirt 3 | -------------------------------------------------------------------------------- /scrible/daniel_scrible.txt: -------------------------------------------------------------------------------- 1 | 2 | ######### Run automation locally on mac using navigator and podman machine: 3 | podman machine init \ 4 | --volume /private:/private \ 5 | --volume /Users:/Users \ 6 | --volume /var/folders:/var/folders \ 7 | --memory 4096 podman-machine-default 8 | 9 | 10 | podman machine start 11 | 12 | ansible-navigator run stormshift-cluster-mgmt.yaml \ 13 | -e stormshift_cluster_action=deploy \ 14 | -e stormshift_cluster_name=ocp11 \ 15 | --vault-password-file=.vault_pass \ 16 | -e@development-example.vars-private -v 17 | 18 | 19 | ansible-playbook -e@../stormshift-dev.vars -e ushift_env=ushift18_bootc 200-ushift-create.yaml 20 | 21 | ansible-navigator run 200-ushift-create.yaml \ 22 | -e ushift_env=ushift18_bootc \ 23 | -e@development-example.vars-private \ 24 | --vault-password-file=.vault_pass 25 | 26 | 27 | ##################################### 28 | # Add a service of type loadbalncer to be able to ssh into a 29 | # VM using podnetwork only: 30 | apiVersion: v1 31 | kind: Service 32 | metadata: 33 | annotations: 34 | name: ushift08-lb-ssh 35 | namespace: stormshift-microshift 36 | spec: 37 | allocateLoadBalancerNodePorts: false 38 | externalTrafficPolicy: Cluster 39 | internalTrafficPolicy: Cluster 40 | ipFamilies: 41 | - IPv4 42 | ipFamilyPolicy: SingleStack 43 | ports: 44 | - port: 22000 45 | protocol: TCP 46 | targetPort: 22 47 | selector: 48 | vm.kubevirt.io/name: ushift08 49 | sessionAffinity: None 50 | type: LoadBalancer 51 | -------------------------------------------------------------------------------- /scrible/datavolume.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: cdi.kubevirt.io/v1beta1 2 | kind: DataVolume 3 | metadata: 4 | name: dfroehli-rhel92-test 5 | spec: 6 | storage: 7 | # storageClassName: ocs-storagecluster-ceph-rbd-virtualization 8 | storageClassName: coe-netapp-san 9 | accessModes: 10 | - ReadWriteMany 11 | volumeMode: Block 12 | resources: 13 | requests: 14 | storage: 64Gi 15 | source: 16 | pvc: 17 | namespace: openshift-mtv 18 | name: "rhel92-root" 19 | -------------------------------------------------------------------------------- /scrible/download-kubeconfigs-from-vault.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - hosts: cluster 3 | connection: local 4 | gather_facts: false 5 | tasks: 6 | 7 | # - name: List clusters 8 | # community.hashi_vault.vault_list: 9 | # url: "{{ lookup('ansible.builtin.env', 'RH_VAULT_URL' ) }}" 10 | # auth_method: approle 11 | # role_id: "{{ lookup('ansible.builtin.env', 'RH_VAULT_ROLE_ID' ) }}" 12 | # secret_id: "{{ lookup('ansible.builtin.env', 'RH_VAULT_SECRET_ID' ) }}" 13 | # validate_certs: false 14 | # # engine_mount_point: apps 15 | 16 | # path: "apps/metadata/coe-lab/cluster-credential" 17 | # register: clusters 18 | 19 | # - debug: var=clusters 20 | - name: Get Creds 21 | community.hashi_vault.vault_kv2_get: 22 | url: "{{ lookup('ansible.builtin.env', 'RH_VAULT_URL' ) }}" 23 | auth_method: approle 24 | role_id: "{{ lookup('ansible.builtin.env', 'RH_VAULT_ROLE_ID' ) }}" 25 | secret_id: "{{ lookup('ansible.builtin.env', 'RH_VAULT_SECRET_ID' ) }}" 26 | validate_certs: false 27 | engine_mount_point: apps 28 | path: "coe-lab/cluster-credential/stormshift-{{ inventory_hostname }}" 29 | register: cluster 30 | 31 | - name: "Show kubeadmin password" 32 | debug: 33 | msg: "Kubeadmin password is: {{ cluster.secret['kubeadmin-password'] }}" 34 | 35 | - name: Export kubeconfig 36 | copy: 37 | content: "{{ cluster.secret.kubeconfig }}" 38 | dest: "kubeconfig-stormshift-{{ inventory_hostname }}" 39 | 40 | - name: Export kubeadmin-password 41 | copy: 42 | content: "{{ cluster.secret['kubeadmin-password'] }}" 43 | dest: "kubeadmin-password-stormshift-{{ inventory_hostname }}" 44 | 45 | # https://github.com/danielfoehrKn/kubeswitch 46 | - name: Kubeswitch preperations 47 | when: kubeswitch | default('false') | bool 48 | block: 49 | - name: Rebuild new kubeconfig 50 | ansible.builtin.set_fact: 51 | kubeconfig: "{{ cluster.secret.kubeconfig | ansible.builtin.from_yaml | combine(fields_to_change, recursive=true) }}" 52 | vars: 53 | fields_to_change: 54 | current-context: "stormshift-{{ inventory_hostname }}" 55 | contexts: 56 | - name: "stormshift-{{ inventory_hostname }}" 57 | context: 58 | cluster: "{{ inventory_hostname }}" 59 | user: "admin" 60 | 61 | - name: "Write kubeswitch improved kubeconfig-{{ inventory_hostname }}" 62 | ansible.builtin.copy: 63 | content: | 64 | {{ kubeconfig | to_nice_yaml }} 65 | dest: "switch-stormshift-{{ inventory_hostname }}" 66 | 67 | - name: Move info 68 | debug: 69 | msg: 70 | - "Please run:" 71 | - " mv -v scrible/switch-* ~/.kube/clusters" -------------------------------------------------------------------------------- /scrible/inventory.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | all: 3 | vars: 4 | 5 | children: 6 | # 7 | # --- MicroShift clusters ------ 8 | # 9 | microshift: 10 | vars: 11 | 12 | children: 13 | ushift1: 14 | vars: 15 | stormshift_owner_email: "brad.weidenbrenner@redhat.com" 16 | stormshift_owner_purpose: "dedicated long term ACM Demo" 17 | ushift_version: 4.14 18 | ushift_use_EC: false 19 | ushift_use_RC: false 20 | ushift_actually_install: true 21 | ushift_deploy_sample_workload: false 22 | vm_cores: "2" 23 | vm_memory: "16 GiB" 24 | vm_template: "rhel92" 25 | rhsm_repo_list: 26 | - rhocp-4.14-for-rhel-9-x86_64-rpms 27 | - fast-datapath-for-rhel-9-x86_64-rpms 28 | - gitops-1.12-for-rhel-9-x86_64-rpms 29 | hosts: 30 | ushift1: 31 | network_ip_address: 10.32.99.1 32 | network_mac_address: 0E:C0:EF:20:63:01 33 | network_uefi_boot_url: "..." 34 | 35 | # 36 | # --- Openshift clusters ------ 37 | # 38 | openshift: 39 | vars: 40 | virt_namespace: stormshift-ocp-vms 41 | children: 42 | stormshift-ocp1: 43 | vars: 44 | stormshift_owner_email: "dfroehli@redhat.com" 45 | stormshift_owner_purpose: "dedicated long term" 46 | ocp_isSNO: false 47 | ocp_num_control: "3" 48 | ocp_num_worker: "0" 49 | ocp_version: 4.14.10 50 | ocp_control_cores: "4" 51 | ocp_control_memoryMB: "24576" 52 | ocp_compute_cores: "4" 53 | ocp_compute_memoryMB: "24576" 54 | ocp_configure_COE_SSO: true 55 | ocp_configure_COE_netapp: true 56 | ocp_configure_COE_ACM_client: false 57 | ocp_configure_COE_QuayMirror: false 58 | ocp_configure_LVMS: false 59 | ocp_cluster_name: ocp1 60 | ocp_ip_api: "10.32.105.64" 61 | ocp_ip_ingress: "10.32.105.65" 62 | ocp_ip_rendevous: "10.32.105.66" 63 | hosts: 64 | opc1-master0: 65 | network_ip_address: 10.32.105.66 66 | network_mac_address: 0E:C0:EF:20:69:42 67 | opc1-master1: 68 | network_ip_address: 10.32.105.67 69 | network_mac_address: 0E:C0:EF:20:69:43 70 | opc1-master2: 71 | network_ip_address: 10.32.105.68 72 | network_mac_address: 0E:C0:EF:20:69:44 73 | -------------------------------------------------------------------------------- /scrible/vm-clone-uefi.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kubevirt.io/v1 2 | kind: VirtualMachine 3 | metadata: 4 | labels: 5 | kubevirt.io/vm: dfroehli-rhel94-clone1 6 | name: dfroehli-rhel94-clone1 7 | spec: 8 | runStrategy: Manual 9 | template: 10 | metadata: 11 | labels: 12 | kubevirt.io/vm: dfroehli-rhel94-clone1 13 | spec: 14 | domain: 15 | cpu: 16 | cores: 4 17 | sockets: 1 18 | threads: 1 19 | memory: 20 | guest: 4Gi 21 | resources: 22 | requests: 23 | memory: 4Gi 24 | machine: 25 | type: q35 26 | #UEFI: 27 | features: 28 | acpi: {} 29 | smm: 30 | enabled: true 31 | firmware: 32 | bootloader: 33 | efi: 34 | secureBoot: true 35 | 36 | devices: 37 | disks: 38 | - disk: 39 | bus: virtio 40 | name: root-disk 41 | interfaces: 42 | - bridge: {} 43 | # macAddress: '02:d8:6d:00:00:06' 44 | model: virtio 45 | name: net-0 46 | clock: 47 | timezone: Etc/GMT 48 | networks: 49 | - multus: 50 | networkName: coe-bridge 51 | name: net-0 52 | volumes: 53 | - dataVolume: 54 | name: dfroehli-rhel94-clone1-root 55 | name: root-disk 56 | dataVolumeTemplates: 57 | - metadata: 58 | name: dfroehli-rhel94-clone1-root 59 | spec: 60 | storage: 61 | storageClassName: ocs-storagecluster-ceph-rbd-virtualization 62 | accessModes: 63 | - ReadWriteMany 64 | volumeMode: Block 65 | resources: 66 | requests: 67 | storage: 64Gi 68 | source: 69 | pvc: 70 | namespace: dfroehli-vm-templates 71 | name: "dfroehli-template-rhel94-root" 72 | -------------------------------------------------------------------------------- /scrible/vm-clone.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kubevirt.io/v1 2 | kind: VirtualMachine 3 | metadata: 4 | labels: 5 | kubevirt.io/vm: dfroehli-rhel94-clone1 6 | name: dfroehli-rhel94-clone1 7 | spec: 8 | runStrategy: Manual 9 | template: 10 | metadata: 11 | labels: 12 | kubevirt.io/vm: dfroehli-rhel94-clone1 13 | spec: 14 | domain: 15 | cpu: 16 | cores: 4 17 | sockets: 1 18 | threads: 1 19 | memory: 20 | guest: 4Gi 21 | resources: 22 | requests: 23 | memory: 4Gi 24 | machine: 25 | type: q35 26 | devices: 27 | disks: 28 | - disk: 29 | bus: virtio 30 | name: root-disk 31 | interfaces: 32 | - bridge: {} 33 | # macAddress: '02:d8:6d:00:00:06' 34 | model: virtio 35 | name: net-0 36 | clock: 37 | timezone: Etc/GMT 38 | networks: 39 | - multus: 40 | networkName: coe-bridge 41 | name: net-0 42 | volumes: 43 | - dataVolume: 44 | name: dfroehli-rhel94-clone1-root 45 | name: root-disk 46 | dataVolumeTemplates: 47 | - metadata: 48 | name: dfroehli-rhel94-clone1-root 49 | spec: 50 | storage: 51 | # storageClassName: ocs-storagecluster-ceph-rbd-virtualization 52 | accessModes: 53 | - ReadWriteMany 54 | volumeMode: Block 55 | resources: 56 | requests: 57 | storage: 64Gi 58 | source: 59 | pvc: 60 | namespace: stormshift-vm-templates 61 | name: "stormshift-template-rhel94-root" 62 | -------------------------------------------------------------------------------- /scrible/vmc.yaml: -------------------------------------------------------------------------------- 1 | kind: VirtualMachineClone 2 | apiVersion: clone.kubevirt.io/v1alpha1 3 | metadata: 4 | name: dfroehli-rhel94-clone1 5 | spec: 6 | source: 7 | apiGroup: kubevirt.io 8 | kind: VirtualMachine 9 | name: dfroehli-rhel94 10 | target: 11 | apiGroup: kubevirt.io 12 | kind: VirtualMachine 13 | name: dfroehli-rhel94-clone1 14 | 15 | -------------------------------------------------------------------------------- /stormshift-cluster-mgmt.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: "Managed StormShift Cluster {{ stormshift_cluster_name }}" 3 | # Doing once, host doesnt matter 4 | hosts: "{{ stormshift_cluster_name }}" 5 | connection: local 6 | gather_facts: false 7 | tasks: 8 | - name: Job informations 9 | ansible.builtin.debug: 10 | msg: 11 | - "Run against {{inventory_hostname}}, vars:" 12 | - " - cluster_type: {{ cluster_type }}" 13 | - " - stormshift_cluster_action: {{ stormshift_cluster_action }}" 14 | - " - stormshift_cluster_name: {{ stormshift_cluster_name }}" 15 | - " - stormshift_cluster_features: {{ stormshift_cluster_features | join(',') }}" 16 | 17 | - name: Check if action is supported/allowed 18 | fail: 19 | msg: "Action {{ stormshift_cluster_action }} is not supported/allowed" 20 | when: 21 | - cluster_excluded_actions is defined 22 | - stormshift_cluster_action is in cluster_excluded_actions 23 | 24 | - name: "Include {{stormshift_cluster_action}}-cluster" 25 | include_role: 26 | name: "cluster{{ '-hcp' if cluster_type == 'hosted' }}" 27 | tasks_from: "{{ stormshift_cluster_action }}-cluster.yaml" 28 | when: stormshift_cluster_action in ('destroy','deploy') 29 | 30 | - name: Add features to cluster 31 | ansible.builtin.include_role: 32 | name: "feature-{{ item }}" 33 | tasks_from: post-deploy.yaml 34 | with_items: "{{ stormshift_cluster_features | default([]) }}" 35 | when: stormshift_cluster_action == 'add-features' 36 | 37 | - name: Remove features from cluster 38 | ansible.builtin.include_role: 39 | name: "feature-{{ item }}" 40 | tasks_from: pre-destroy.yaml 41 | with_items: "{{ stormshift_cluster_features | default([]) }}" 42 | when: stormshift_cluster_action == 'remove-features' 43 | --------------------------------------------------------------------------------