From 42d330a1cf2990fee39dab36250524ebfb303428 Mon Sep 17 00:00:00 2001 From: Tim Bielawa Date: Wed, 6 Sep 2017 15:11:55 -0400 Subject: CFME 4.6 work begins. CFME 4.5 references added to the release-3.6 branch --- roles/openshift_cfme/tasks/accounts.yml | 65 ++++++++ roles/openshift_cfme/tasks/create_pvs.yml | 36 ----- roles/openshift_cfme/tasks/main.yml | 176 ++++++++++------------ roles/openshift_cfme/tasks/nfs.yml | 51 ------- roles/openshift_cfme/tasks/storage/create_pvs.yml | 36 +++++ roles/openshift_cfme/tasks/storage/nfs.yml | 103 +++++++++++++ roles/openshift_cfme/tasks/storage/storage.yml | 3 + roles/openshift_cfme/tasks/template.yml | 72 +++++++++ roles/openshift_cfme/tasks/tune_masters.yml | 12 -- roles/openshift_cfme/tasks/validate.yml | 34 +++++ 10 files changed, 392 insertions(+), 196 deletions(-) create mode 100644 roles/openshift_cfme/tasks/accounts.yml delete mode 100644 roles/openshift_cfme/tasks/create_pvs.yml delete mode 100644 roles/openshift_cfme/tasks/nfs.yml create mode 100644 roles/openshift_cfme/tasks/storage/create_pvs.yml create mode 100644 roles/openshift_cfme/tasks/storage/nfs.yml create mode 100644 roles/openshift_cfme/tasks/storage/storage.yml create mode 100644 roles/openshift_cfme/tasks/template.yml delete mode 100644 roles/openshift_cfme/tasks/tune_masters.yml create mode 100644 roles/openshift_cfme/tasks/validate.yml (limited to 'roles/openshift_cfme/tasks') diff --git a/roles/openshift_cfme/tasks/accounts.yml b/roles/openshift_cfme/tasks/accounts.yml new file mode 100644 index 000000000..261e7858b --- /dev/null +++ b/roles/openshift_cfme/tasks/accounts.yml @@ -0,0 +1,65 @@ +--- +# This role task file is responsible for user/system account creation, +# and ensuring correct access is provided as required. + +# TODO: This is currently not idempotent, bug report will be filed +# after this. Currently this task will return 'changed' if it just +# created a user, updated a user, or doesn't modify a user at +# all. Seems to be failing some kind of 'does it need updating' test +# condition and running the replace command regardless. +- name: Check if the miq-httpd scc exists + oc_obj: + namespace: "{{ openshift_cfme_project }}" + state: list + kind: scc + name: miq-httpd + register: miq_httpd_scc_exists + +# TODO: Cleanup when conditions +- name: Copy the miq-httpd SCC to the cluster + copy: + src: miq-scc-httpd.yaml + dest: "{{ template_dir }}" + when: + - miq_httpd_scc_exists.results.results | length == 1 + - miq_httpd_scc_exists.results.results[0] == {} + +- name: Ensure the CFME miq-httpd SCC exists + oc_obj: + state: present + name: miq-httpd + namespace: "{{ openshift_cfme_project }}" + kind: scc + files: + - "{{ template_dir }}/miq-scc-httpd.yaml" + delete_after: True + run_once: True + when: + - miq_httpd_scc_exists.results.results | length == 1 + - miq_httpd_scc_exists.results.results[0] == {} + +- name: Ensure the CFME system users exist + oc_serviceaccount: + namespace: "{{ openshift_cfme_project }}" + state: present + name: "{{ item.name }}" + with_items: + - "{{ openshift_system_account_sccs }}" + +- name: Ensure the CFME system accounts have all the required SCCs + oc_adm_policy_user: + namespace: "{{ openshift_cfme_project }}" + user: "system:serviceaccount:{{ openshift_cfme_project }}:{{ item.name }}" + resource_kind: scc + resource_name: "{{ item.resource_name }}" + with_items: + - "{{ openshift_system_account_sccs }}" + +- name: Ensure the CFME system accounts have the required roles + oc_adm_policy_user: + namespace: "{{ openshift_cfme_project }}" + user: "system:serviceaccount:{{ openshift_cfme_project }}:{{ item.name }}" + resource_kind: role + resource_name: "{{ item.resource_name }}" + with_items: + - "{{ openshift_cfme_system_account_roles }}" diff --git a/roles/openshift_cfme/tasks/create_pvs.yml b/roles/openshift_cfme/tasks/create_pvs.yml deleted file mode 100644 index 7fa7d3997..000000000 --- a/roles/openshift_cfme/tasks/create_pvs.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -# Check for existance and then conditionally: -# - evaluate templates -# - PVs -# -# These tasks idempotently create required CFME PV objects. Do not -# call this file directly. This file is intended to be ran as an -# include that has a 'with_items' attached to it. Hence the use below -# of variables like "{{ item.pv_label }}" - -- name: "Check if the {{ item.pv_label }} template has been created already" - oc_obj: - namespace: "{{ openshift_cfme_project }}" - state: list - kind: pv - name: "{{ item.pv_name }}" - register: miq_pv_check - -# Skip all of this if the PV already exists -- block: - - name: "Ensure the {{ item.pv_label }} template is evaluated" - template: - src: "{{ item.pv_template }}.j2" - dest: "{{ template_dir }}/{{ item.pv_template }}" - - - name: "Ensure {{ item.pv_label }} is created" - oc_obj: - namespace: "{{ openshift_cfme_project }}" - kind: pv - name: "{{ item.pv_name }}" - state: present - delete_after: True - files: - - "{{ template_dir }}/{{ item.pv_template }}" - when: - - not miq_pv_check.results.results.0 diff --git a/roles/openshift_cfme/tasks/main.yml b/roles/openshift_cfme/tasks/main.yml index 74ae16d91..cf5a7fdeb 100644 --- a/roles/openshift_cfme/tasks/main.yml +++ b/roles/openshift_cfme/tasks/main.yml @@ -1,117 +1,99 @@ --- -###################################################################### +######################################################################) # Users, projects, and privileges -- name: Ensure the CFME user exists - oc_user: - state: present - username: "{{ openshift_cfme_user }}" +- name: Run pre-install CFME validation checks + include: validate.yml -- name: Ensure the CFME namespace exists with CFME user as admin +- name: "Ensure the CFME '{{ openshift_cfme_project }}' namespace exists" oc_project: state: present name: "{{ openshift_cfme_project }}" display_name: "{{ openshift_cfme_project_description }}" - admin: "{{ openshift_cfme_user }}" - -- name: Ensure the CFME namespace service account is privileged - oc_adm_policy_user: - namespace: "{{ openshift_cfme_project }}" - user: "{{ openshift_cfme_service_account }}" - resource_kind: scc - resource_name: privileged - state: present -###################################################################### -# NFS -# In the case that we are not running on a cloud provider, volumes must be statically provisioned - -- include: nfs.yml - when: not (openshift_cloudprovider_kind is defined and (openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce')) +- name: Create and Authorize CFME Accounts + include: accounts.yml ###################################################################### -# CFME App Template -# -# Note, this is different from the create_pvs.yml tasks in that the -# application template does not require any jinja2 evaluation. -# -# TODO: Handle the case where the server template is updated in -# openshift-ansible and the change needs to be landed on the managed -# cluster. - -- name: Check if the CFME Server template has been created already - oc_obj: - namespace: "{{ openshift_cfme_project }}" - state: list - kind: template - name: manageiq - register: miq_server_check - -- name: Copy over CFME Server template - copy: - src: miq-template.yaml - dest: "{{ template_dir }}/miq-template.yaml" - -- name: Ensure the server template was read from disk +# STORAGE - Initialize basic storage classes +#--------------------------------------------------------------------- +# * nfs - set up NFS shares on the first master for a proof of concept +- name: Create required NFS exports for CFME app storage + include: storage/nfs.yml + when: openshift_cfme_storage_class == 'nfs' + +#--------------------------------------------------------------------- +# * external - NFS again, but pointing to a pre-configured NFS server +- name: Note Storage Type - External NFS debug: - var=r_openshift_cfme_miq_template_content + msg: Setting up external NFS storage, openshift_cfme_storage_class is 'external' + when: openshift_cfme_storage_class == 'external' -- name: Ensure CFME Server Template exists - oc_obj: - namespace: "{{ openshift_cfme_project }}" - kind: template - name: "manageiq" - state: present - content: "{{ r_openshift_cfme_miq_template_content }}" +#--------------------------------------------------------------------- +# * cloudprovider - use an existing cloudprovider based storage +- name: Note Storage Type - Cloud Provider + debug: + msg: Validating cloud provider storage type, openshift_cfme_storage_class is 'cloudprovider' + when: openshift_cfme_storage_class == 'cloudprovider' + +#--------------------------------------------------------------------- +# * preconfigured - don't do anything, assume it's all there ready to go +- name: Note Storage Type - Preconfigured + debug: + msg: Skipping storage configuration, openshift_cfme_storage_class is 'preconfigured' + when: openshift_cfme_storage_class == 'preconfigured' ###################################################################### -# Let's do this - -- name: Ensure the CFME Server is created - oc_process: - namespace: "{{ openshift_cfme_project }}" - template_name: manageiq - create: True - params: - APPLICATION_IMG_NAME: "{{ openshift_cfme_application_img_name }}" - POSTGRESQL_IMG_NAME: "{{ openshift_cfme_postgresql_img_name }}" - MEMCACHED_IMG_NAME: "{{ openshift_cfme_memcached_img_name }}" - APPLICATION_IMG_TAG: "{{ openshift_cfme_application_img_tag }}" - POSTGRESQL_IMG_TAG: "{{ openshift_cfme_postgresql_img_tag }}" - MEMCACHED_IMG_TAG: "{{ openshift_cfme_memcached_img_tag }}" - register: cfme_new_app_process - run_once: True - when: - # User said to install CFME in their inventory - - openshift_cfme_install_app | bool - # # The server app doesn't exist already - # - not miq_server_check.results.results.0 - -- debug: - var: cfme_new_app_process +# APPLICATION TEMPLATE +- name: Install the correct CFME app template + include: template.yml ###################################################################### -# Various cleanup steps - -# TODO: Not sure what to do about this right now. Might be able to -# just delete it? This currently warns about "Unable to find -# '' in expected paths." -- name: Ensure the temporary PV/App templates are erased - file: - path: "{{ item }}" - state: absent - with_fileglob: - - "{{ template_dir }}/*.yaml" - -- name: Ensure the temporary PV/app template directory is erased - file: - path: "{{ template_dir }}" - state: absent +# APP & DB Storage + ###################################################################### -- name: Status update - debug: - msg: > - CFME has been deployed. Note that there will be a delay before - it is fully initialized. +# ###################################################################### +# # Let's do this + +# - name: Ensure the CFME Server is created +# oc_process: +# namespace: "{{ openshift_cfme_project }}" +# template_name: manageiq +# create: True +# params: +# APPLICATION_IMG_NAME: "{{ openshift_cfme_application_img_name }}" +# POSTGRESQL_IMG_NAME: "{{ openshift_cfme_postgresql_img_name }}" +# MEMCACHED_IMG_NAME: "{{ openshift_cfme_memcached_img_name }}" +# APPLICATION_IMG_TAG: "{{ openshift_cfme_application_img_tag }}" +# POSTGRESQL_IMG_TAG: "{{ openshift_cfme_postgresql_img_tag }}" +# MEMCACHED_IMG_TAG: "{{ openshift_cfme_memcached_img_tag }}" +# register: cfme_new_app_process +# run_once: True +# when: +# # User said to install CFME in their inventory +# - openshift_cfme_install_app | bool +# # # The server app doesn't exist already +# # - not miq_server_check.results.results.0 + +# - debug: +# var: cfme_new_app_process + +# ###################################################################### +# # Various cleanup steps + +# # TODO: Not sure what to do about this right now. Might be able to +# # just delete it? This currently warns about "Unable to find +# # '' in expected paths." +# - name: Ensure the temporary PV/App templates are erased +# file: +# path: "{{ item }}" +# state: absent +# with_fileglob: +# - "{{ template_dir }}/*.yaml" + +# - name: Ensure the temporary PV/app template directory is erased +# file: +# path: "{{ template_dir }}" +# state: absent diff --git a/roles/openshift_cfme/tasks/nfs.yml b/roles/openshift_cfme/tasks/nfs.yml deleted file mode 100644 index ca04628a8..000000000 --- a/roles/openshift_cfme/tasks/nfs.yml +++ /dev/null @@ -1,51 +0,0 @@ ---- -# Tasks to statically provision NFS volumes -# Include if not using dynamic volume provisioning - -- name: Set openshift_cfme_nfs_server fact - when: openshift_cfme_nfs_server is not defined - set_fact: - # Hostname/IP of the NFS server. Currently defaults to first master - openshift_cfme_nfs_server: "{{ oo_nfs_to_config.0 }}" - -- name: Ensure the /exports/ directory exists - file: - path: /exports/ - state: directory - mode: 0755 - owner: root - group: root - -- name: Ensure the miq-pv0X export directories exist - file: - path: "/exports/{{ item }}" - state: directory - mode: 0775 - owner: root - group: root - with_items: "{{ openshift_cfme_pv_exports }}" - -- name: Ensure the NFS exports for CFME PVs exist - copy: - src: openshift_cfme.exports - dest: /etc/exports.d/openshift_cfme.exports - register: nfs_exports_updated - -- name: Ensure the NFS export table is refreshed if exports were added - command: exportfs -ar - when: - - nfs_exports_updated.changed - - -###################################################################### -# Create the required CFME PVs. Check out these online docs if you -# need a refresher on includes looping with items: -# * http://docs.ansible.com/ansible/playbooks_loops.html#loops-and-includes-in-2-0 -# * http://stackoverflow.com/a/35128533 -# -# TODO: Handle the case where a PV template is updated in -# openshift-ansible and the change needs to be landed on the managed -# cluster. - -- include: create_pvs.yml - with_items: "{{ openshift_cfme_pv_data }}" diff --git a/roles/openshift_cfme/tasks/storage/create_pvs.yml b/roles/openshift_cfme/tasks/storage/create_pvs.yml new file mode 100644 index 000000000..7fa7d3997 --- /dev/null +++ b/roles/openshift_cfme/tasks/storage/create_pvs.yml @@ -0,0 +1,36 @@ +--- +# Check for existance and then conditionally: +# - evaluate templates +# - PVs +# +# These tasks idempotently create required CFME PV objects. Do not +# call this file directly. This file is intended to be ran as an +# include that has a 'with_items' attached to it. Hence the use below +# of variables like "{{ item.pv_label }}" + +- name: "Check if the {{ item.pv_label }} template has been created already" + oc_obj: + namespace: "{{ openshift_cfme_project }}" + state: list + kind: pv + name: "{{ item.pv_name }}" + register: miq_pv_check + +# Skip all of this if the PV already exists +- block: + - name: "Ensure the {{ item.pv_label }} template is evaluated" + template: + src: "{{ item.pv_template }}.j2" + dest: "{{ template_dir }}/{{ item.pv_template }}" + + - name: "Ensure {{ item.pv_label }} is created" + oc_obj: + namespace: "{{ openshift_cfme_project }}" + kind: pv + name: "{{ item.pv_name }}" + state: present + delete_after: True + files: + - "{{ template_dir }}/{{ item.pv_template }}" + when: + - not miq_pv_check.results.results.0 diff --git a/roles/openshift_cfme/tasks/storage/nfs.yml b/roles/openshift_cfme/tasks/storage/nfs.yml new file mode 100644 index 000000000..8151f9fbb --- /dev/null +++ b/roles/openshift_cfme/tasks/storage/nfs.yml @@ -0,0 +1,103 @@ +--- +# Tasks to statically provision NFS volumes +# Include if not using dynamic volume provisioning + +- name: Note Storage Type - NFS + debug: + msg: Setting up NFS storage, openshift_cfme_storage_class is 'nfs' + +- name: TODO + debug: + msg: TODO - replace hard-coded hostname below with oo_nfs_to_config.0 + +- name: Set openshift_cfme_nfs_server fact + when: openshift_cfme_nfs_server is not defined + set_fact: + # Hostname/IP of the NFS server. Currently defaults to first master + openshift_cfme_nfs_server: m01.example.com + +# TODO: I was going to try to apply the openshift_storage_nfs role to +# handle this, however, that role is not written to be used by +# itself. Attempting to use it to create CFME exports would just add +# more hard-coded values to the role. That said, we're doing this here +# manually for now until some one comes up with a better solution, or +# the role is made to accept parameters in a more functional way. +# +# I can't really even include the openshift_storage_nfs role in here +# to do basic setup stuff because it would just result in a lot of +# unwanted exports getting set up for the users. + +- name: Ensure the /exports/ directory exists + file: + path: /exports/ + state: directory + mode: 0755 + owner: root + group: root + +- name: Ensure exports directory exists + file: + path: /etc/exports.d/ + state: directory + +# # TODO - with_items should be passed a list of storage configs for the +# # desired CFME setup. This might mean a local or remote nfs server, as +# # well as fully qualified filesystem paths. +# - name: Ensure export directories exist +# file: +# path: "{{ item.storage.nfs.directory }}/{{ item.storage.volume.name }}" +# state: directory +# mode: 0777 +# owner: nfsnobody +# group: nfsnobody +# with_items: + +- name: Enable and start services + systemd: + name: nfs-server + state: started + enabled: yes + register: start_result + +- set_fact: + nfs_service_status_changed: "{{ start_result | changed }}" + +- name: restart nfs-server + systemd: + name: nfs-server + state: restarted + when: nfs_service_status_changed | default(false) + notify: + - "OpenShift-CFME - Reload NFS Exports" + +###################################################################### +# TODO: Move the export directory and PV creation into individual +# tasks under the respective server/database task files. + +# # - name: Ensure the miq-pv0X export directories exist +# # file: +# # path: "/exports/{{ item }}" +# # state: directory +# # mode: 0775 +# # owner: nfsnobody +# # group: nfsnobody +# # with_items: "{{ openshift_cfme_pv_exports }}" + +# # - name: Ensure the NFS exports for CFME PVs exist +# # copy: +# # src: openshift_cfme.exports +# # dest: /etc/exports.d/openshift_cfme.exports +# # register: nfs_exports_updated + + +# # Create the required CFME PVs. Check out these online docs if you +# # need a refresher on includes looping with items: +# # * http://docs.ansible.com/ansible/playbooks_loops.html#loops-and-includes-in-2-0 +# # * http://stackoverflow.com/a/35128533 + +# # TODO: Handle the case where a PV template is updated in +# # openshift-ansible and the change needs to be landed on the managed +# # cluster. + +# # - include: create_pvs.yml +# # with_items: "{{ openshift_cfme_pv_data }}" diff --git a/roles/openshift_cfme/tasks/storage/storage.yml b/roles/openshift_cfme/tasks/storage/storage.yml new file mode 100644 index 000000000..d8bf7aa3e --- /dev/null +++ b/roles/openshift_cfme/tasks/storage/storage.yml @@ -0,0 +1,3 @@ +--- +- include: nfs.yml + when: not (openshift_cloudprovider_kind is defined and (openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce')) diff --git a/roles/openshift_cfme/tasks/template.yml b/roles/openshift_cfme/tasks/template.yml new file mode 100644 index 000000000..11ccae3e6 --- /dev/null +++ b/roles/openshift_cfme/tasks/template.yml @@ -0,0 +1,72 @@ +--- +# Tasks for ensuring the correct CFME templates are landed on the remote system + +###################################################################### +# CFME App Template +# +# Note, this is different from the create_pvs.yml tasks in that the +# application template does not require any jinja2 evaluation. +# +# TODO: Handle the case where the server template is updated in +# openshift-ansible and the change needs to be landed on the managed +# cluster. + +###################################################################### +# STANDARD PODIFIED DATABASE TEMPLATE +- when: openshift_cfme_app_template == 'miq-template' + block: + - name: Check if the CFME Server template has been created already + oc_obj: + namespace: "{{ openshift_cfme_project }}" + state: list + kind: template + name: manageiq + register: miq_server_check + + - name: Copy over CFME Server template + copy: + src: miq-template.yaml + dest: "{{ template_dir }}/" + when: + - miq_server_check.results.results == [{}] + + - name: Ensure CFME Server Template is created + oc_obj: + namespace: "{{ openshift_cfme_project }}" + name: manageiq + state: present + kind: template + files: + - "{{ template_dir }}/miq-template.yaml" + when: + - miq_server_check.results.results == [{}] + +###################################################################### +# EXTERNAL DATABASE TEMPLATE +- when: openshift_cfme_app_template == 'miq-template-ext-db' + block: + - name: Check if the CFME Ext-DB Server template has been created already + oc_obj: + namespace: "{{ openshift_cfme_project }}" + state: list + kind: template + name: manageiq-ext-db + register: miq_ext_db_server_check + + - name: Copy over CFME Ext-DB Server template + copy: + src: miq-template-ext-db.yaml + dest: "{{ template_dir }}/" + when: + - miq_ext_db_server_check.results.results == [{}] + + - name: Ensure CFME Ext-DB Server Template is created + oc_obj: + namespace: "{{ openshift_cfme_project }}" + name: manageiq-ext-db + state: present + kind: template + files: + - "{{ template_dir }}/miq-template-ext-db.yaml" + when: + - miq_ext_db_server_check.results.results == [{}] diff --git a/roles/openshift_cfme/tasks/tune_masters.yml b/roles/openshift_cfme/tasks/tune_masters.yml deleted file mode 100644 index 02b0f10bf..000000000 --- a/roles/openshift_cfme/tasks/tune_masters.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: Ensure bulk image import limit is tuned - yedit: - src: /etc/origin/master/master-config.yaml - key: 'imagePolicyConfig.maxImagesBulkImportedPerRepository' - value: "{{ openshift_cfme_maxImagesBulkImportedPerRepository | int() }}" - state: present - backup: True - notify: - - restart master - -- meta: flush_handlers diff --git a/roles/openshift_cfme/tasks/validate.yml b/roles/openshift_cfme/tasks/validate.yml new file mode 100644 index 000000000..61448aa3b --- /dev/null +++ b/roles/openshift_cfme/tasks/validate.yml @@ -0,0 +1,34 @@ +--- +# Validate configuration parameters passed to the openshift_cfme role + +- name: Ensure openshift_cfme_app_template is valid + assert: + that: + - openshift_cfme_app_template in openshift_cfme_app_templates + msg: "openshift_cfme_app_template must be one of {{ openshift_cfme_app_templates | join(', ') }}" + +- name: Ensure openshift_cfme_storage_class is a valid type + assert: + that: + - openshift_cfme_storage_class in openshift_cfme_storage_classes + msg: "openshift_cfme_storage_class must be one of {{ openshift_cfme_storage_classes | join(', ') }}" + +- name: Ensure external NFS storage has a valid NFS server hostname defined + assert: + that: + - openshift_cfme_storage_external_nfs_hostname is not False + msg: The selected storage class 'external' requires a valid hostname for the openshift_cfme_storage_external_nfs_hostname parameter + when: + - openshift_cfme_storage_class == 'external' + +- name: Validate Cloud Provider storage class + assert: + that: + - openshift_cloudprovider_kind == 'aws' or openshift_cloudprovider_kind == 'gce' + msg: | + openshift_cfme_storage_class is 'cloudprovider' but you have an + invalid kind defined. See 'openshift_cloudprovider_kind' in the + example inventories for the required parameters for your + selected cloud provider. Working providers: 'aws' and 'gce'. + when: + - openshift_cloudprovider_kind is defined -- cgit v1.2.3