diff options
Diffstat (limited to 'roles/nuage_master')
-rw-r--r-- | roles/nuage_master/defaults/main.yaml | 4 | ||||
-rw-r--r-- | roles/nuage_master/files/serviceaccount.sh | 63 | ||||
-rw-r--r-- | roles/nuage_master/handlers/main.yaml | 2 | ||||
-rw-r--r-- | roles/nuage_master/meta/main.yml | 16 | ||||
-rw-r--r-- | roles/nuage_master/tasks/certificates.yml | 50 | ||||
-rw-r--r-- | roles/nuage_master/tasks/main.yaml | 20 | ||||
-rw-r--r-- | roles/nuage_master/tasks/serviceaccount.yml | 51 | ||||
-rw-r--r-- | roles/nuage_master/templates/nuage-openshift-monitor.j2 | 16 | ||||
-rw-r--r-- | roles/nuage_master/vars/main.yaml | 27 |
9 files changed, 173 insertions, 76 deletions
diff --git a/roles/nuage_master/defaults/main.yaml b/roles/nuage_master/defaults/main.yaml new file mode 100644 index 000000000..cf670a9e1 --- /dev/null +++ b/roles/nuage_master/defaults/main.yaml @@ -0,0 +1,4 @@ +--- +nuage_master_cspadminpasswd: "" +nuage_master_adminusername: admin +nuage_master_adminuserpasswd: admin diff --git a/roles/nuage_master/files/serviceaccount.sh b/roles/nuage_master/files/serviceaccount.sh deleted file mode 100644 index f6fdb8a8d..000000000 --- a/roles/nuage_master/files/serviceaccount.sh +++ /dev/null @@ -1,63 +0,0 @@ -#!/bin/bash -# Parse CLI options -for i in "$@"; do - case $i in - --master-cert-dir=*) - MASTER_DIR="${i#*=}" - CA_CERT=${MASTER_DIR}/ca.crt - CA_KEY=${MASTER_DIR}/ca.key - CA_SERIAL=${MASTER_DIR}/ca.serial.txt - ADMIN_FILE=${MASTER_DIR}/admin.kubeconfig - ;; - --server=*) - SERVER="${i#*=}" - ;; - --output-cert-dir=*) - OUTDIR="${i#*=}" - CONFIG_FILE=${OUTDIR}/nuage.kubeconfig - ;; - esac -done - -# If any are missing, print the usage and exit -if [ -z $SERVER ] || [ -z $OUTDIR ] || [ -z $MASTER_DIR ]; then - echo "Invalid syntax: $@" - echo "Usage:" - echo " $0 --server=<address>:<port> --output-cert-dir=/path/to/output/dir/ --master-cert-dir=/path/to/master/" - echo "--master-cert-dir: Directory where the master's configuration is held" - echo "--server: Address of Kubernetes API server (default port is 8443)" - echo "--output-cert-dir: Directory to put artifacts in" - echo "" - echo "All options are required" - exit 1 -fi - -# Login as admin so that we can create the service account -oc login -u system:admin --config=$ADMIN_FILE || exit 1 -oc project default --config=$ADMIN_FILE - -ACCOUNT_CONFIG=' -{ - "apiVersion": "v1", - "kind": "ServiceAccount", - "metadata": { - "name": "nuage" - } -} -' - -# Create the account with the included info -echo $ACCOUNT_CONFIG|oc create --config=$ADMIN_FILE -f - - -# Add the cluser-reader role, which allows this service account read access to -# everything in the cluster except secrets -oadm policy add-cluster-role-to-user cluster-reader system:serviceaccounts:default:nuage --config=$ADMIN_FILE - -# Generate certificates and a kubeconfig for the service account -oadm create-api-client-config --certificate-authority=${CA_CERT} --client-dir=${OUTDIR} --signer-cert=${CA_CERT} --signer-key=${CA_KEY} --signer-serial=${CA_SERIAL} --user=system:serviceaccounts:default:nuage --master=${SERVER} --public-master=${SERVER} --basename='nuage' - -# Verify the finalized kubeconfig -if ! [ $(oc whoami --config=$CONFIG_FILE) == 'system:serviceaccounts:default:nuage' ]; then - echo "Service account creation failed!" - exit 1 -fi diff --git a/roles/nuage_master/handlers/main.yaml b/roles/nuage_master/handlers/main.yaml index 5d133cf16..56224cf82 100644 --- a/roles/nuage_master/handlers/main.yaml +++ b/roles/nuage_master/handlers/main.yaml @@ -1,6 +1,6 @@ --- - name: restart nuage-openshift-monitor - sudo: true + become: yes service: name=nuage-openshift-monitor state=restarted - name: restart master diff --git a/roles/nuage_master/meta/main.yml b/roles/nuage_master/meta/main.yml new file mode 100644 index 000000000..3f16dd819 --- /dev/null +++ b/roles/nuage_master/meta/main.yml @@ -0,0 +1,16 @@ +--- +galaxy_info: + author: Vishal Patil + description: + company: Nuage Networks + license: Apache License, Version 2.0 + min_ansible_version: 1.8 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud + - system +dependencies: +- { role: nuage_ca } diff --git a/roles/nuage_master/tasks/certificates.yml b/roles/nuage_master/tasks/certificates.yml new file mode 100644 index 000000000..32b024487 --- /dev/null +++ b/roles/nuage_master/tasks/certificates.yml @@ -0,0 +1,50 @@ +--- +- name: Create a directory to hold the certificates + file: path="{{ nuage_mon_rest_server_crt_dir }}" state=directory + delegate_to: "{{ nuage_ca_master }}" + +- name: Create the key + command: > + openssl genrsa -out "{{ nuage_ca_master_rest_server_key }}" 4096 + delegate_to: "{{ nuage_ca_master }}" + +- name: Create the req file + command: > + openssl req -key "{{ nuage_ca_master_rest_server_key }}" -new -out "{{ nuage_mon_rest_server_crt_dir }}/restServer.req" -subj "/CN={{ nuage_mon_rest_server_host }}" + delegate_to: "{{ nuage_ca_master }}" + +- name: Generate the crt file + command: > + openssl x509 -req -in "{{ nuage_mon_rest_server_crt_dir }}/restServer.req" -CA "{{ nuage_ca_crt }}" -CAkey "{{ nuage_ca_key }}" -CAserial "{{ nuage_ca_serial }}" -out "{{ nuage_ca_master_rest_server_crt }}" + delegate_to: "{{ nuage_ca_master }}" + +- name: Remove the req file + file: path="{{ nuage_mon_rest_server_crt_dir }}/restServer.req" state=absent + delegate_to: "{{ nuage_ca_master }}" + +- name: Copy nuage CA crt + shell: cp "{{ nuage_ca_crt }}" "{{ nuage_mon_rest_server_crt_dir }}" + delegate_to: "{{ nuage_ca_master }}" + +- name: Archive the certificate dir + shell: "cd {{ nuage_mon_rest_server_crt_dir }} && tar -czvf /tmp/{{ ansible_nodename }}.tgz *" + delegate_to: "{{ nuage_ca_master }}" + +- name: Create a temp directory for the certificates + local_action: command mktemp -d "/tmp/openshift-{{ ansible_nodename }}-XXXXXXX" + register: mktemp + +- name: Download the certificates + fetch: src="/tmp/{{ ansible_nodename }}.tgz" dest="{{ mktemp.stdout }}/{{ ansible_nodename }}.tgz" flat=yes + delegate_to: "{{ nuage_ca_master }}" + +- name: Extract the certificates + unarchive: src="{{ mktemp.stdout }}/{{ ansible_nodename }}.tgz" dest={{ nuage_master_crt_dir }} + +- name: Delete the certificates after copy + file: path="{{ nuage_mon_rest_server_crt_dir }}" state=absent + delegate_to: "{{ nuage_ca_master }}" + +- name: Delete the temp directory + file: path="{{ mktemp.stdout }}" state=absent + delegate_to: "{{ nuage_ca_master }}" diff --git a/roles/nuage_master/tasks/main.yaml b/roles/nuage_master/tasks/main.yaml index 20d105b9e..b8eaede3b 100644 --- a/roles/nuage_master/tasks/main.yaml +++ b/roles/nuage_master/tasks/main.yaml @@ -1,31 +1,31 @@ --- - name: Create directory /usr/share/nuage-openshift-monitor - sudo: true + become: yes file: path=/usr/share/nuage-openshift-monitor state=directory - name: Create the log directory - sudo: true - file: path={{ nuage_openshift_monitor_log_dir }} state=directory + become: yes + file: path={{ nuage_mon_rest_server_logdir }} state=directory - name: Install Nuage Openshift Monitor - sudo: true + become: yes yum: name={{ nuage_openshift_rpm }} state=present -- name: Run the service account creation script - sudo: true - script: serviceaccount.sh --server={{ openshift.master.api_url }} --output-cert-dir={{ cert_output_dir }} --master-cert-dir={{ openshift_master_config_dir }} +- include: serviceaccount.yml - name: Download the certs and keys - sudo: true + become: yes fetch: src={{ cert_output_dir }}/{{ item }} dest=/tmp/{{ item }} flat=yes with_items: - ca.crt - nuage.crt - nuage.key - nuage.kubeconfig - + +- include: certificates.yml + - name: Create nuage-openshift-monitor.yaml - sudo: true + become: yes template: src=nuage-openshift-monitor.j2 dest=/usr/share/nuage-openshift-monitor/nuage-openshift-monitor.yaml owner=root mode=0644 notify: - restart master diff --git a/roles/nuage_master/tasks/serviceaccount.yml b/roles/nuage_master/tasks/serviceaccount.yml new file mode 100644 index 000000000..5b4af5824 --- /dev/null +++ b/roles/nuage_master/tasks/serviceaccount.yml @@ -0,0 +1,51 @@ +--- +- name: Create temporary directory for admin kubeconfig + command: mktemp -u /tmp/openshift-ansible-XXXXXXX.kubeconfig + register: nuage_tmp_conf_mktemp + changed_when: False + +- set_fact: + nuage_tmp_conf: "{{ nuage_tmp_conf_mktemp.stdout }}" + +- name: Copy Configuration to temporary conf + command: > + cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{nuage_tmp_conf}} + changed_when: false + +- name: Create Admin Service Account + shell: > + echo {{ nuage_service_account_config | to_json | quote }} | + {{ openshift.common.client_binary }} create + -n default + --config={{nuage_tmp_conf}} + -f - + register: osnuage_create_service_account + failed_when: "'already exists' not in osnuage_create_service_account.stderr and osnuage_create_service_account.rc != 0" + changed_when: osnuage_create_service_account.rc == 0 + +- name: Configure role/user permissions + command: > + {{ openshift.common.admin_binary }} {{item}} + --config={{nuage_tmp_conf}} + with_items: "{{nuage_tasks}}" + register: osnuage_perm_task + failed_when: "'already exists' not in osnuage_perm_task.stderr and osnuage_perm_task.rc != 0" + changed_when: osnuage_perm_task.rc == 0 + +- name: Generate the node client config + command: > + {{ openshift.common.admin_binary }} create-api-client-config + --certificate-authority={{ openshift_master_ca_cert }} + --client-dir={{ cert_output_dir }} + --master={{ openshift.master.api_url }} + --public-master={{ openshift.master.api_url }} + --signer-cert={{ openshift_master_ca_cert }} + --signer-key={{ openshift_master_ca_key }} + --signer-serial={{ openshift_master_ca_serial }} + --basename='nuage' + --user={{ nuage_service_account }} + +- name: Clean temporary configuration file + command: > + rm -f {{nuage_tmp_conf}} + changed_when: false diff --git a/roles/nuage_master/templates/nuage-openshift-monitor.j2 b/roles/nuage_master/templates/nuage-openshift-monitor.j2 index db8c3d85e..075de9d9e 100644 --- a/roles/nuage_master/templates/nuage-openshift-monitor.j2 +++ b/roles/nuage_master/templates/nuage-openshift-monitor.j2 @@ -15,5 +15,19 @@ vspVersion: {{ vsp_version }} enterpriseName: {{ enterprise }} # Name of the domain in which pods will reside domainName: {{ domain }} +# CSP admin user's password +cspAdminPassword: {{ nuage_master_cspadminpasswd }} +# Enterprise admin user name +enterpriseAdminUser: {{ nuage_master_adminusername }} +# Enterprise admin password +enterpriseAdminPassword: {{ nuage_master_adminuserpasswd }} # Location where logs should be saved -log_dir: {{ nuage_openshift_monitor_log_dir }} +log_dir: {{ nuage_mon_rest_server_logdir }} +# Monitor rest server paramters +# Logging level for the nuage openshift monitor +# allowed options are: 0 => INFO, 1 => WARNING, 2 => ERROR, 3 => FATAL +logLevel: {{ nuage_mon_log_level }} +# Parameters related to the nuage monitor REST server +nuageMonServer: + URL: {{ nuage_mon_rest_server_url }} + certificateDirectory: {{ cert_output_dir }} diff --git a/roles/nuage_master/vars/main.yaml b/roles/nuage_master/vars/main.yaml index c489feabe..92e716a45 100644 --- a/roles/nuage_master/vars/main.yaml +++ b/roles/nuage_master/vars/main.yaml @@ -1,7 +1,32 @@ openshift_master_config_dir: "{{ openshift.common.config_base }}/master" +openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt" +openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key" +openshift_master_ca_serial: "{{ openshift_master_config_dir }}/ca.serial.txt" ca_cert: "{{ openshift_master_config_dir }}/ca.crt" admin_config: "{{ openshift.common.config_base }}/master/admin.kubeconfig" cert_output_dir: /usr/share/nuage-openshift-monitor kube_config: /usr/share/nuage-openshift-monitor/nuage.kubeconfig kubemon_yaml: /usr/share/nuage-openshift-monitor/nuage-openshift-monitor.yaml -master_config_yaml: "{{ openshift_master_config_dir }}/master-config.yaml" +master_config_yaml: "{{ openshift_master_config_dir }}/master-config.yaml" +nuage_mon_rest_server_port: "{{ nuage_openshift_monitor_rest_server_port | default('9443') }}" +nuage_mon_rest_server_url: "0.0.0.0:{{ nuage_mon_rest_server_port }}" +nuage_mon_rest_server_logdir: "{{ nuage_openshift_monitor_log_dir | default('/var/log/nuage-openshift-monitor') }}" +nuage_mon_log_level: "{{ nuage_openshift_monitor_log_level | default('3') }}" + +nuage_mon_rest_server_crt_dir: "{{ nuage_ca_master_crt_dir }}/{{ ansible_nodename }}" +nuage_ca_master_rest_server_key: "{{ nuage_mon_rest_server_crt_dir }}/nuageMonServer.key" +nuage_ca_master_rest_server_crt: "{{ nuage_mon_rest_server_crt_dir }}/nuageMonServer.crt" + +nuage_mon_rest_server_host: "{{ openshift.master.cluster_hostname | default(openshift.common.hostname) }}" + +nuage_master_crt_dir : /usr/share/nuage-openshift-monitor +nuage_service_account: system:serviceaccount:default:nuage + +nuage_service_account_config: + apiVersion: v1 + kind: ServiceAccount + metadata: + name: nuage + +nuage_tasks: + - policy add-cluster-role-to-user cluster-reader {{ nuage_service_account }} |