summaryrefslogtreecommitdiffstats
path: root/playbooks/provisioning
diff options
context:
space:
mode:
Diffstat (limited to 'playbooks/provisioning')
-rw-r--r--playbooks/provisioning/openstack/README.md32
-rw-r--r--playbooks/provisioning/openstack/openstack_dns_records.yml2
-rw-r--r--playbooks/provisioning/openstack/post-provision-openstack.yml6
-rw-r--r--playbooks/provisioning/openstack/prerequisites.yml10
-rw-r--r--playbooks/provisioning/openstack/provision-openstack.yml11
-rw-r--r--playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml7
-rw-r--r--playbooks/provisioning/openstack/stack_params.yaml1
7 files changed, 62 insertions, 7 deletions
diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md
index 1ff586b49..8e99dd14b 100644
--- a/playbooks/provisioning/openstack/README.md
+++ b/playbooks/provisioning/openstack/README.md
@@ -10,6 +10,7 @@ etc.). The result is an environment ready for openshift-ansible.
* [Ansible-galaxy](https://pypi.python.org/pypi/ansible-galaxy-local-deps)
* [jinja2](http://jinja.pocoo.org/docs/2.9/)
* [shade](https://pypi.python.org/pypi/shade)
+* python-jmespath / [jmespath](https://pypi.python.org/pypi/jmespath)
* python-dns / [dnspython](https://pypi.python.org/pypi/dnspython)
* Become (sudo) is not required.
@@ -40,7 +41,7 @@ Alternatively you can install directly from github:
-p openshift-ansible-contrib/roles
Notes:
-* This assumes we're in the directory that contains the clonned
+* This assumes we're in the directory that contains the clonned
openshift-ansible-contrib repo in its root path.
* When trying to install a different version, the previous one must be removed first
(`infra-ansible` directory from [roles](https://github.com/openshift/openshift-ansible-contrib/tree/master/roles)).
@@ -177,16 +178,30 @@ variables for the `inventory/group_vars/OSEv3.yml`, `all.yml`:
origin_release: 1.5.1
openshift_deployment_type: "{{ deployment_type }}"
-### Configure static inventory
+### Configure static inventory and access via a bastion node
Example inventory variables:
+ openstack_use_bastion: true
+ bastion_ingress_cidr: "{{openstack_subnet_prefix}}.0/24"
openstack_private_ssh_key: ~/.ssh/openshift
openstack_inventory: static
openstack_inventory_path: ../../../../inventory
+ openstack_ssh_config_path: /tmp/ssh.config.openshift.ansible.openshift.example.com
+The `openstack_subnet_prefix` is the openstack private network for your cluster.
+And the `bastion_ingress_cidr` defines accepted range for SSH connections to nodes
+additionally to the `ssh_ingress_cidr`` (see the security notes above).
-In this guide, the latter points to the current directory, where you run ansible commands
+The SSH config will be stored on the ansible control node by the
+gitven path. Ansible uses it automatically. To access the cluster nodes with
+that ssh config, use the `-F` prefix, f.e.:
+
+ ssh -F /tmp/ssh.config.openshift.ansible.openshift.example.com master-0.openshift.example.com echo OK
+
+Note, relative paths will not work for the `openstack_ssh_config_path`, but it
+works for the `openstack_private_ssh_key` and `openstack_inventory_path`. In this
+guide, the latter points to the current directory, where you run ansible commands
from.
To verify nodes connectivity, use the command:
@@ -194,7 +209,7 @@ To verify nodes connectivity, use the command:
ansible -v -i inventory/hosts -m ping all
If something is broken, double-check the inventory variables, paths and the
-generated `<openstack_inventory_path>/hosts` file.
+generated `<openstack_inventory_path>/hosts` and `openstack_ssh_config_path` files.
The `inventory: dynamic` can be used instead to access cluster nodes directly via
floating IPs. In this mode you can not use a bastion node and should specify
@@ -213,6 +228,15 @@ this is how you stat the provisioning process from your ansible control node:
Note, here you start with an empty inventory. The static inventory will be populated
with data so you can omit providing additional arguments for future ansible commands.
+If bastion enabled, the generates SSH config must be applied for ansible.
+Otherwise, it is auto included by the previous step. In order to execute it
+as a separate playbook, use the following command:
+
+ ansible-playbook openshift-ansible-contrib/playbooks/provisioning/openstack/post-provision-openstack.yml
+
+The first infra node then becomes a bastion node as well and proxies access
+for future ansible commands. The post-provision step also configures Satellite,
+if requested, and DNS server, and ensures other OpenShift requirements to be met.
### Install OpenShift
diff --git a/playbooks/provisioning/openstack/openstack_dns_records.yml b/playbooks/provisioning/openstack/openstack_dns_records.yml
index 9ec37fdb4..3672a8ea6 100644
--- a/playbooks/provisioning/openstack/openstack_dns_records.yml
+++ b/playbooks/provisioning/openstack/openstack_dns_records.yml
@@ -41,11 +41,13 @@
set_fact:
public_records: "{{ public_records | default([]) + [ { 'type': 'A', 'hostname': hostvars[item]['ansible_hostname'], 'ip': hostvars[item]['public_v4'] } ] }}"
with_items: "{{ groups['cluster_hosts'] }}"
+ when: hostvars[item]['public_v4'] is defined
- name: "Add wildcard records to the public A records"
set_fact:
public_records: "{{ public_records | default([]) + [ { 'type': 'A', 'hostname': '*.' + openshift_app_domain, 'ip': hostvars[item]['public_v4'] } ] }}"
with_items: "{{ groups['infra_hosts'] }}"
+ when: hostvars[item]['public_v4'] is defined
- name: "Set the public DNS server details to use the external value (if provided)"
set_fact:
diff --git a/playbooks/provisioning/openstack/post-provision-openstack.yml b/playbooks/provisioning/openstack/post-provision-openstack.yml
index a807c4d2f..c7df74a87 100644
--- a/playbooks/provisioning/openstack/post-provision-openstack.yml
+++ b/playbooks/provisioning/openstack/post-provision-openstack.yml
@@ -4,7 +4,11 @@
become: False
gather_facts: False
tasks:
- - wait_for_connection:
+ - when: not openstack_use_bastion|default(False)|bool
+ wait_for_connection:
+ - when: openstack_use_bastion|default(False)|bool
+ delegate_to: bastion
+ wait_for_connection:
- hosts: cluster_hosts
gather_facts: True
diff --git a/playbooks/provisioning/openstack/prerequisites.yml b/playbooks/provisioning/openstack/prerequisites.yml
index 71a99fc82..dd4f980b2 100644
--- a/playbooks/provisioning/openstack/prerequisites.yml
+++ b/playbooks/provisioning/openstack/prerequisites.yml
@@ -20,6 +20,16 @@
that: 'shade_result.rc == 0'
msg: "Python module shade is not installed"
+ # Check jmespath
+ - name: Try to import python module shade
+ command: python -c "import jmespath"
+ ignore_errors: yes
+ register: jmespath_result
+ - name: Check if jmespath is installed
+ assert:
+ that: 'jmespath_result.rc == 0'
+ msg: "Python module jmespath is not installed"
+
# Check python-dns
- name: Try to import python DNS module
command: python -c "import dns"
diff --git a/playbooks/provisioning/openstack/provision-openstack.yml b/playbooks/provisioning/openstack/provision-openstack.yml
index 0cac37aaf..6ec944d56 100644
--- a/playbooks/provisioning/openstack/provision-openstack.yml
+++ b/playbooks/provisioning/openstack/provision-openstack.yml
@@ -12,13 +12,20 @@
when: openstack_inventory|default('static') == 'static'
inventory_path: "{{ openstack_inventory_path|default(inventory_dir) }}"
private_ssh_key: "{{ openstack_private_ssh_key|default('~/.ssh/id_rsa') }}"
+ ssh_config_path: "{{ openstack_ssh_config_path|default('/tmp/ssh.config.openshift.ansible' + '.' + stack_name) }}"
+ ssh_user: "{{ ansible_user }}"
-- name: Refresh Server inventory
+- name: Refresh Server inventory or exit to apply SSH config
hosts: localhost
connection: local
become: False
gather_facts: False
tasks:
- - meta: refresh_inventory
+ - name: Exit to apply SSH config for a bastion
+ meta: end_play
+ when: openstack_use_bastion|default(False)|bool
+ - name: Refresh Server inventory
+ meta: refresh_inventory
- include: post-provision-openstack.yml
+ when: not openstack_use_bastion|default(False)|bool
diff --git a/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml b/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml
index 9eb36ab13..6d07f9b56 100644
--- a/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml
+++ b/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml
@@ -69,5 +69,12 @@ ansible_user: openshift
# # The path to checkpoint the static inventory from the in-memory one
#openstack_inventory_path: ../../../../inventory
+# # Use bastion node to access cluster nodes (Defaults to False).
+# # Requires a static inventory.
+#openstack_use_bastion: False
+#bastion_ingress_cidr: "{{openstack_subnet_prefix}}.0/24"
+#
# # The Nova key-pair's private SSH key to access inventory nodes
#openstack_private_ssh_key: ~/.ssh/openshift
+# # The path for the SSH config to access all nodes
+#openstack_ssh_config_path: /tmp/ssh.config.openshift.ansible.{{ env_id }}.{{ public_dns_domain }}
diff --git a/playbooks/provisioning/openstack/stack_params.yaml b/playbooks/provisioning/openstack/stack_params.yaml
index 9c0b09b45..c3a42ab06 100644
--- a/playbooks/provisioning/openstack/stack_params.yaml
+++ b/playbooks/provisioning/openstack/stack_params.yaml
@@ -21,3 +21,4 @@ master_volume_size: "{{ docker_volume_size }}"
app_volume_size: "{{ docker_volume_size }}"
infra_volume_size: "{{ docker_volume_size }}"
nodes_to_remove: "{{ openstack_nodes_to_remove | default([]) | to_yaml }}"
+use_bastion: "{{ openstack_use_bastion|default(False) }}"