diff options
Diffstat (limited to 'roles/nuage_master')
-rw-r--r-- | roles/nuage_master/README.md | 8 | ||||
-rw-r--r-- | roles/nuage_master/files/serviceaccount.sh | 63 | ||||
-rw-r--r-- | roles/nuage_master/handlers/main.yaml | 18 | ||||
-rw-r--r-- | roles/nuage_master/meta/main.yml | 16 | ||||
-rw-r--r-- | roles/nuage_master/tasks/certificates.yml | 50 | ||||
-rw-r--r-- | roles/nuage_master/tasks/main.yaml | 36 | ||||
-rw-r--r-- | roles/nuage_master/templates/nuage-openshift-monitor.j2 | 23 | ||||
-rw-r--r-- | roles/nuage_master/vars/main.yaml | 16 |
8 files changed, 230 insertions, 0 deletions
diff --git a/roles/nuage_master/README.md b/roles/nuage_master/README.md new file mode 100644 index 000000000..de101dd19 --- /dev/null +++ b/roles/nuage_master/README.md @@ -0,0 +1,8 @@ +Nuage Master +============ +Setup Nuage Kubernetes Monitor on the Master node + + +Requirements +------------ +This role assumes it has been deployed on RHEL/Fedora diff --git a/roles/nuage_master/files/serviceaccount.sh b/roles/nuage_master/files/serviceaccount.sh new file mode 100644 index 000000000..f6fdb8a8d --- /dev/null +++ b/roles/nuage_master/files/serviceaccount.sh @@ -0,0 +1,63 @@ +#!/bin/bash +# Parse CLI options +for i in "$@"; do + case $i in + --master-cert-dir=*) + MASTER_DIR="${i#*=}" + CA_CERT=${MASTER_DIR}/ca.crt + CA_KEY=${MASTER_DIR}/ca.key + CA_SERIAL=${MASTER_DIR}/ca.serial.txt + ADMIN_FILE=${MASTER_DIR}/admin.kubeconfig + ;; + --server=*) + SERVER="${i#*=}" + ;; + --output-cert-dir=*) + OUTDIR="${i#*=}" + CONFIG_FILE=${OUTDIR}/nuage.kubeconfig + ;; + esac +done + +# If any are missing, print the usage and exit +if [ -z $SERVER ] || [ -z $OUTDIR ] || [ -z $MASTER_DIR ]; then + echo "Invalid syntax: $@" + echo "Usage:" + echo " $0 --server=<address>:<port> --output-cert-dir=/path/to/output/dir/ --master-cert-dir=/path/to/master/" + echo "--master-cert-dir: Directory where the master's configuration is held" + echo "--server: Address of Kubernetes API server (default port is 8443)" + echo "--output-cert-dir: Directory to put artifacts in" + echo "" + echo "All options are required" + exit 1 +fi + +# Login as admin so that we can create the service account +oc login -u system:admin --config=$ADMIN_FILE || exit 1 +oc project default --config=$ADMIN_FILE + +ACCOUNT_CONFIG=' +{ + "apiVersion": "v1", + "kind": "ServiceAccount", + "metadata": { + "name": "nuage" + } +} +' + +# Create the account with the included info +echo $ACCOUNT_CONFIG|oc create --config=$ADMIN_FILE -f - + +# Add the cluser-reader role, which allows this service account read access to +# everything in the cluster except secrets +oadm policy add-cluster-role-to-user cluster-reader system:serviceaccounts:default:nuage --config=$ADMIN_FILE + +# Generate certificates and a kubeconfig for the service account +oadm create-api-client-config --certificate-authority=${CA_CERT} --client-dir=${OUTDIR} --signer-cert=${CA_CERT} --signer-key=${CA_KEY} --signer-serial=${CA_SERIAL} --user=system:serviceaccounts:default:nuage --master=${SERVER} --public-master=${SERVER} --basename='nuage' + +# Verify the finalized kubeconfig +if ! [ $(oc whoami --config=$CONFIG_FILE) == 'system:serviceaccounts:default:nuage' ]; then + echo "Service account creation failed!" + exit 1 +fi diff --git a/roles/nuage_master/handlers/main.yaml b/roles/nuage_master/handlers/main.yaml new file mode 100644 index 000000000..5d133cf16 --- /dev/null +++ b/roles/nuage_master/handlers/main.yaml @@ -0,0 +1,18 @@ +--- +- name: restart nuage-openshift-monitor + sudo: true + service: name=nuage-openshift-monitor state=restarted + +- name: restart master + service: name={{ openshift.common.service_type }}-master state=restarted + when: (not openshift_master_ha | bool) and (not master_service_status_changed | default(false)) + +- name: restart master api + service: name={{ openshift.common.service_type }}-master-api state=restarted + when: (openshift_master_ha | bool) and (not master_api_service_status_changed | default(false)) and openshift.master.cluster_method == 'native' + +# TODO: need to fix up ignore_errors here +- name: restart master controllers + service: name={{ openshift.common.service_type }}-master-controllers state=restarted + when: (openshift_master_ha | bool) and (not master_controllers_service_status_changed | default(false)) and openshift.master.cluster_method == 'native' + ignore_errors: yes diff --git a/roles/nuage_master/meta/main.yml b/roles/nuage_master/meta/main.yml new file mode 100644 index 000000000..3f16dd819 --- /dev/null +++ b/roles/nuage_master/meta/main.yml @@ -0,0 +1,16 @@ +--- +galaxy_info: + author: Vishal Patil + description: + company: Nuage Networks + license: Apache License, Version 2.0 + min_ansible_version: 1.8 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud + - system +dependencies: +- { role: nuage_ca } diff --git a/roles/nuage_master/tasks/certificates.yml b/roles/nuage_master/tasks/certificates.yml new file mode 100644 index 000000000..0d3c69467 --- /dev/null +++ b/roles/nuage_master/tasks/certificates.yml @@ -0,0 +1,50 @@ +--- +- name: Create a directory to hold the certificates + file: path="{{ nuage_mon_rest_server_crt_dir }}" state=directory + delegate_to: "{{ nuage_ca_master }}" + +- name: Create the key + command: > + openssl genrsa -out "{{ nuage_ca_master_rest_server_key }}" 4096 + delegate_to: "{{ nuage_ca_master }}" + +- name: Create the req file + command: > + openssl req -key "{{ nuage_ca_master_rest_server_key }}" -new -out "{{ nuage_mon_rest_server_crt_dir }}/restServer.req" -subj "/CN={{ ansible_nodename }}" + delegate_to: "{{ nuage_ca_master }}" + +- name: Generate the crt file + command: > + openssl x509 -req -in "{{ nuage_mon_rest_server_crt_dir }}/restServer.req" -CA "{{ nuage_ca_crt }}" -CAkey "{{ nuage_ca_key }}" -CAserial "{{ nuage_ca_serial }}" -out "{{ nuage_ca_master_rest_server_crt }}" + delegate_to: "{{ nuage_ca_master }}" + +- name: Remove the req file + file: path="{{ nuage_mon_rest_server_crt_dir }}/restServer.req" state=absent + delegate_to: "{{ nuage_ca_master }}" + +- name: Copy nuage CA crt + shell: cp "{{ nuage_ca_crt }}" "{{ nuage_mon_rest_server_crt_dir }}" + delegate_to: "{{ nuage_ca_master }}" + +- name: Archive the certificate dir + shell: "cd {{ nuage_mon_rest_server_crt_dir }} && tar -czvf /tmp/{{ ansible_nodename }}.tgz *" + delegate_to: "{{ nuage_ca_master }}" + +- name: Create a temp directory for the certificates + local_action: command mktemp -d "/tmp/openshift-{{ ansible_nodename }}-XXXXXXX" + register: mktemp + +- name: Download the certificates + fetch: src="/tmp/{{ ansible_nodename }}.tgz" dest="{{ mktemp.stdout }}/{{ ansible_nodename }}.tgz" flat=yes + delegate_to: "{{ nuage_ca_master }}" + +- name: Extract the certificates + unarchive: src="{{ mktemp.stdout }}/{{ ansible_nodename }}.tgz" dest={{ nuage_master_crt_dir }} + +- name: Delete the certificates after copy + file: path="{{ nuage_mon_rest_server_crt_dir }}" state=absent + delegate_to: "{{ nuage_ca_master }}" + +- name: Delete the temp directory + file: path="{{ mktemp.stdout }}" state=absent + delegate_to: "{{ nuage_ca_master }}" diff --git a/roles/nuage_master/tasks/main.yaml b/roles/nuage_master/tasks/main.yaml new file mode 100644 index 000000000..abeee3d71 --- /dev/null +++ b/roles/nuage_master/tasks/main.yaml @@ -0,0 +1,36 @@ +--- +- name: Create directory /usr/share/nuage-openshift-monitor + sudo: true + file: path=/usr/share/nuage-openshift-monitor state=directory + +- name: Create the log directory + sudo: true + file: path={{ nuage_mon_rest_server_logdir }} state=directory + +- name: Install Nuage Openshift Monitor + sudo: true + yum: name={{ nuage_openshift_rpm }} state=present + +- name: Run the service account creation script + sudo: true + script: serviceaccount.sh --server={{ openshift.master.api_url }} --output-cert-dir={{ cert_output_dir }} --master-cert-dir={{ openshift_master_config_dir }} + +- name: Download the certs and keys + sudo: true + fetch: src={{ cert_output_dir }}/{{ item }} dest=/tmp/{{ item }} flat=yes + with_items: + - ca.crt + - nuage.crt + - nuage.key + - nuage.kubeconfig + +- include: certificates.yml + +- name: Create nuage-openshift-monitor.yaml + sudo: true + template: src=nuage-openshift-monitor.j2 dest=/usr/share/nuage-openshift-monitor/nuage-openshift-monitor.yaml owner=root mode=0644 + notify: + - restart master + - restart master api + - restart master controllers + - restart nuage-openshift-monitor diff --git a/roles/nuage_master/templates/nuage-openshift-monitor.j2 b/roles/nuage_master/templates/nuage-openshift-monitor.j2 new file mode 100644 index 000000000..e50e225e1 --- /dev/null +++ b/roles/nuage_master/templates/nuage-openshift-monitor.j2 @@ -0,0 +1,23 @@ +# .kubeconfig that includes the nuage service account +kubeConfig: {{ kube_config }} +# name of the nuage service account, or another account with 'cluster-reader' +# permissions +# Openshift master config file +masterConfig: {{ master_config_yaml }} +# URL of the VSD Architect +vsdApiUrl: {{ vsd_api_url }} +# API version to query against. Usually "v3_2" +vspVersion: {{ vsp_version }} +# File containing a VSP license to install. Only necessary if no license has +# been installed on the VSD Architect before, only valid for standalone vsd install +# licenseFile: "/path/to/base_vsp_license.txt" +# Name of the enterprise in which pods will reside +enterpriseName: {{ enterprise }} +# Name of the domain in which pods will reside +domainName: {{ domain }} +# Location where logs should be saved +log_dir: {{ nuage_mon_rest_server_logdir }} +# Monitor rest server paramters +nuageMonServer: + URL: {{ nuage_mon_rest_server_url }} + certificateDirectory: {{ cert_output_dir }} diff --git a/roles/nuage_master/vars/main.yaml b/roles/nuage_master/vars/main.yaml new file mode 100644 index 000000000..4b57273e4 --- /dev/null +++ b/roles/nuage_master/vars/main.yaml @@ -0,0 +1,16 @@ +openshift_master_config_dir: "{{ openshift.common.config_base }}/master" +ca_cert: "{{ openshift_master_config_dir }}/ca.crt" +admin_config: "{{ openshift.common.config_base }}/master/admin.kubeconfig" +cert_output_dir: /usr/share/nuage-openshift-monitor +kube_config: /usr/share/nuage-openshift-monitor/nuage.kubeconfig +kubemon_yaml: /usr/share/nuage-openshift-monitor/nuage-openshift-monitor.yaml +master_config_yaml: "{{ openshift_master_config_dir }}/master-config.yaml" +nuage_mon_rest_server_port: "{{ nuage_openshift_monitor_rest_server_port | default('9443') }}" +nuage_mon_rest_server_url: "0.0.0.0:{{ nuage_mon_rest_server_port }}" +nuage_mon_rest_server_logdir: "{{ nuage_openshift_monitor_log_dir | default('/var/log/nuage-openshift-monitor') }}" + +nuage_mon_rest_server_crt_dir: "{{ nuage_ca_master_crt_dir }}/{{ ansible_nodename }}" +nuage_ca_master_rest_server_key: "{{ nuage_mon_rest_server_crt_dir }}/nuageMonServer.key" +nuage_ca_master_rest_server_crt: "{{ nuage_mon_rest_server_crt_dir }}/nuageMonServer.crt" + +nuage_master_crt_dir : /usr/share/nuage-openshift-monitor |