From f2f58c7cda094d933991cebacab3dfdbee86fe6d Mon Sep 17 00:00:00 2001
From: Matthew Wong <mawong@redhat.com>
Date: Thu, 30 Mar 2017 13:21:00 -0400
Subject: Add external provisioners playbook starting with aws efs

---
 .../tasks/generate_clusterrolebindings.yaml        | 19 ++++++
 .../tasks/generate_secrets.yaml                    | 14 +++++
 .../tasks/generate_serviceaccounts.yaml            | 12 ++++
 .../openshift_provisioners/tasks/install_efs.yaml  | 70 ++++++++++++++++++++++
 .../tasks/install_provisioners.yaml                | 55 +++++++++++++++++
 .../tasks/install_support.yaml                     | 24 ++++++++
 roles/openshift_provisioners/tasks/main.yaml       | 27 +++++++++
 roles/openshift_provisioners/tasks/oc_apply.yaml   | 51 ++++++++++++++++
 .../tasks/start_cluster.yaml                       | 20 +++++++
 .../openshift_provisioners/tasks/stop_cluster.yaml | 20 +++++++
 .../tasks/uninstall_provisioners.yaml              | 43 +++++++++++++
 11 files changed, 355 insertions(+)
 create mode 100644 roles/openshift_provisioners/tasks/generate_clusterrolebindings.yaml
 create mode 100644 roles/openshift_provisioners/tasks/generate_secrets.yaml
 create mode 100644 roles/openshift_provisioners/tasks/generate_serviceaccounts.yaml
 create mode 100644 roles/openshift_provisioners/tasks/install_efs.yaml
 create mode 100644 roles/openshift_provisioners/tasks/install_provisioners.yaml
 create mode 100644 roles/openshift_provisioners/tasks/install_support.yaml
 create mode 100644 roles/openshift_provisioners/tasks/main.yaml
 create mode 100644 roles/openshift_provisioners/tasks/oc_apply.yaml
 create mode 100644 roles/openshift_provisioners/tasks/start_cluster.yaml
 create mode 100644 roles/openshift_provisioners/tasks/stop_cluster.yaml
 create mode 100644 roles/openshift_provisioners/tasks/uninstall_provisioners.yaml

(limited to 'roles/openshift_provisioners/tasks')

diff --git a/roles/openshift_provisioners/tasks/generate_clusterrolebindings.yaml b/roles/openshift_provisioners/tasks/generate_clusterrolebindings.yaml
new file mode 100644
index 000000000..ac21a5e37
--- /dev/null
+++ b/roles/openshift_provisioners/tasks/generate_clusterrolebindings.yaml
@@ -0,0 +1,19 @@
+---
+- name: Generate ClusterRoleBindings
+  template: src=clusterrolebinding.j2 dest={{mktemp.stdout}}/templates/{{obj_name}}-clusterrolebinding.yaml
+  vars:
+    acct_name: provisioners-{{item}}
+    obj_name: run-provisioners-{{item}}
+    labels:
+      provisioners-infra: support
+    crb_usernames: ["system:serviceaccount:{{openshift_provisioners_project}}:{{acct_name}}"]
+    subjects:
+      - kind: ServiceAccount
+        name: "{{acct_name}}"
+        namespace: "{{openshift_provisioners_project}}"
+    cr_name: "system:persistent-volume-provisioner"
+  with_items:
+    # TODO
+    - efs
+  check_mode: no
+  changed_when: no
diff --git a/roles/openshift_provisioners/tasks/generate_secrets.yaml b/roles/openshift_provisioners/tasks/generate_secrets.yaml
new file mode 100644
index 000000000..e6cbb1bbf
--- /dev/null
+++ b/roles/openshift_provisioners/tasks/generate_secrets.yaml
@@ -0,0 +1,14 @@
+---
+- name: Generate secret for efs
+  template: src=secret.j2 dest={{mktemp.stdout}}/templates/{{obj_name}}-secret.yaml
+  vars:
+    name: efs
+    obj_name: "provisioners-efs"
+    labels:
+      provisioners-infra: support
+    secrets:
+      - {key: aws-access-key-id, value: "{{openshift_provisioners_efs_aws_access_key_id}}"}
+      - {key: aws-secret-access-key, value: "{{openshift_provisioners_efs_aws_secret_access_key}}"}
+  check_mode: no
+  changed_when: no
+  when: openshift_provisioners_efs | bool
diff --git a/roles/openshift_provisioners/tasks/generate_serviceaccounts.yaml b/roles/openshift_provisioners/tasks/generate_serviceaccounts.yaml
new file mode 100644
index 000000000..4fe0583ee
--- /dev/null
+++ b/roles/openshift_provisioners/tasks/generate_serviceaccounts.yaml
@@ -0,0 +1,12 @@
+---
+- name: Generating serviceaccounts
+  template: src=serviceaccount.j2 dest={{mktemp.stdout}}/templates/{{obj_name}}-sa.yaml
+  vars:
+    obj_name: provisioners-{{item}}
+    labels:
+      provisioners-infra: support
+  with_items:
+  # TODO
+  - efs
+  check_mode: no
+  changed_when: no
diff --git a/roles/openshift_provisioners/tasks/install_efs.yaml b/roles/openshift_provisioners/tasks/install_efs.yaml
new file mode 100644
index 000000000..57279c665
--- /dev/null
+++ b/roles/openshift_provisioners/tasks/install_efs.yaml
@@ -0,0 +1,70 @@
+---
+- name: Check efs current replica count
+  command: >
+    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get dc provisioners-efs
+    -o jsonpath='{.spec.replicas}' -n {{openshift_provisioners_project}}
+  register: efs_replica_count
+  when: not ansible_check_mode
+  ignore_errors: yes
+  changed_when: no
+
+- name: Generate efs PersistentVolumeClaim
+  template: src=pvc.j2 dest={{mktemp.stdout}}/templates/{{obj_name}}-pvc.yaml
+  vars:
+    obj_name: "provisioners-efs"
+    size: "1Mi"
+    access_modes:
+      - "ReadWriteMany"
+    pv_selector:
+      provisioners-efs: efs
+  check_mode: no
+  changed_when: no
+
+- name: Generate efs PersistentVolume
+  template: src=pv.j2 dest={{mktemp.stdout}}/templates/{{obj_name}}-pv.yaml
+  vars:
+    obj_name: "provisioners-efs"
+    size: "1Mi"
+    access_modes:
+      - "ReadWriteMany"
+    labels:
+      provisioners-efs: efs
+    volume_plugin: "nfs"
+    volume_source:
+      - {key: "server", value: "{{openshift_provisioners_efs_fsid}}.efs.{{openshift_provisioners_efs_region}}.amazonaws.com"}
+      - {key: "path", value: "{{openshift_provisioners_efs_path}}"}
+    claim_name: "provisioners-efs"
+  check_mode: no
+  changed_when: no
+
+- name: Generate efs DeploymentConfig
+  template:
+    src: efs.j2
+    dest: "{{ mktemp.stdout }}/templates/{{deploy_name}}-dc.yaml"
+  vars:
+    name: efs
+    deploy_name: "provisioners-efs"
+    deploy_serviceAccount: "provisioners-efs"
+    replica_count: "{{efs_replica_count.stdout | default(0)}}"
+    node_selector: "{{openshift_provisioners_efs_nodeselector | default('') }}"
+    claim_name: "provisioners-efs"
+  check_mode: no
+  changed_when: false
+
+# anyuid in order to run as root & chgrp shares with allocated gids
+- name: "Check efs anyuid permissions"
+  command: >
+    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig
+    get scc/anyuid -o jsonpath='{.users}'
+  register: efs_anyuid
+  check_mode: no
+  changed_when: no
+
+- name: "Set anyuid permissions for efs"
+  command: >
+    {{ openshift.common.admin_binary}} --config={{ mktemp.stdout }}/admin.kubeconfig policy
+    add-scc-to-user anyuid system:serviceaccount:{{openshift_provisioners_project}}:provisioners-efs
+  register: efs_output
+  failed_when: "efs_output.rc == 1 and 'exists' not in efs_output.stderr"
+  check_mode: no
+  when: efs_anyuid.stdout.find("system:serviceaccount:{{openshift_provisioners_project}}:provisioners-efs") == -1
diff --git a/roles/openshift_provisioners/tasks/install_provisioners.yaml b/roles/openshift_provisioners/tasks/install_provisioners.yaml
new file mode 100644
index 000000000..324fdcc82
--- /dev/null
+++ b/roles/openshift_provisioners/tasks/install_provisioners.yaml
@@ -0,0 +1,55 @@
+---
+- name: Check that EFS File System ID is set
+  fail: msg='the openshift_provisioners_efs_fsid variable is required'
+  when: (openshift_provisioners_efs | bool) and openshift_provisioners_efs_fsid is not defined
+
+- name: Check that EFS region is set
+  fail: msg='the openshift_provisioners_efs_region variable is required'
+  when: (openshift_provisioners_efs | bool) and openshift_provisioners_efs_region is not defined
+
+- name: Check that EFS AWS access key id is set
+  fail: msg='the openshift_provisioners_efs_aws_access_key_id variable is required'
+  when: (openshift_provisioners_efs | bool) and openshift_provisioners_efs_aws_access_key_id is not defined
+
+- name: Check that EFS AWS secret access key is set
+  fail: msg='the openshift_provisioners_efs_aws_secret_access_key variable is required'
+  when: (openshift_provisioners_efs | bool) and openshift_provisioners_efs_aws_secret_access_key is not defined
+
+- name: Install support
+  include: install_support.yaml
+
+- name: Install EFS
+  include: install_efs.yaml
+  when: openshift_provisioners_efs | bool
+
+- find: paths={{ mktemp.stdout }}/templates patterns=*.yaml
+  register: object_def_files
+  changed_when: no
+
+- slurp: src={{item}}
+  register: object_defs
+  with_items: "{{object_def_files.files | map(attribute='path') | list | sort}}"
+  changed_when: no
+
+- name: Create objects
+  include: oc_apply.yaml
+  vars:
+    - kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig"
+    - namespace: "{{ openshift_provisioners_project }}"
+    - file_name: "{{ file.source }}"
+    - file_content: "{{ file.content | b64decode | from_yaml }}"
+  with_items: "{{ object_defs.results }}"
+  loop_control:
+    loop_var: file
+  when: not ansible_check_mode
+
+- name: Printing out objects to create
+  debug: msg={{file.content | b64decode }}
+  with_items: "{{ object_defs.results }}"
+  loop_control:
+    loop_var: file
+  when: ansible_check_mode
+
+- name: Scaling up cluster
+  include: start_cluster.yaml
+  when: start_cluster | default(true) | bool
diff --git a/roles/openshift_provisioners/tasks/install_support.yaml b/roles/openshift_provisioners/tasks/install_support.yaml
new file mode 100644
index 000000000..ba472f1c9
--- /dev/null
+++ b/roles/openshift_provisioners/tasks/install_support.yaml
@@ -0,0 +1,24 @@
+---
+- name: Check for provisioners project already exists
+  command: >
+    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig get project {{openshift_provisioners_project}} --no-headers
+  register: provisioners_project_result
+  ignore_errors: yes
+  when: not ansible_check_mode
+  changed_when: no
+
+- name: Create provisioners project
+  command: >
+    {{ openshift.common.admin_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig new-project {{openshift_provisioners_project}}
+  when: not ansible_check_mode and "not found" in provisioners_project_result.stderr
+
+- name: Create temp directory for all our templates
+  file: path={{mktemp.stdout}}/templates state=directory mode=0755
+  changed_when: False
+  check_mode: no
+
+- include: generate_secrets.yaml
+
+- include: generate_clusterrolebindings.yaml
+
+- include: generate_serviceaccounts.yaml
diff --git a/roles/openshift_provisioners/tasks/main.yaml b/roles/openshift_provisioners/tasks/main.yaml
new file mode 100644
index 000000000..a50c78c97
--- /dev/null
+++ b/roles/openshift_provisioners/tasks/main.yaml
@@ -0,0 +1,27 @@
+---
+- name: Create temp directory for doing work in
+  command: mktemp -td openshift-provisioners-ansible-XXXXXX
+  register: mktemp
+  changed_when: False
+  check_mode: no
+
+- name: Copy the admin client config(s)
+  command: >
+    cp {{ openshift.common.config_base}}/master/admin.kubeconfig {{ mktemp.stdout }}/admin.kubeconfig
+  changed_when: False
+  check_mode: no
+  tags: provisioners_init
+
+- include: "{{ role_path }}/tasks/install_provisioners.yaml"
+  when: openshift_provisioners_install_provisioners | default(false) | bool
+
+- include: "{{ role_path }}/tasks/uninstall_provisioners.yaml"
+  when: not openshift_provisioners_install_provisioners | default(false) | bool
+
+- name: Delete temp directory
+  file:
+    name: "{{ mktemp.stdout }}"
+    state: absent
+  tags: provisioners_cleanup
+  changed_when: False
+  check_mode: no
diff --git a/roles/openshift_provisioners/tasks/oc_apply.yaml b/roles/openshift_provisioners/tasks/oc_apply.yaml
new file mode 100644
index 000000000..49d03f203
--- /dev/null
+++ b/roles/openshift_provisioners/tasks/oc_apply.yaml
@@ -0,0 +1,51 @@
+---
+- name: Checking generation of {{file_content.kind}} {{file_content.metadata.name}}
+  command: >
+    {{ openshift.common.client_binary }} --config={{ kubeconfig }}
+    get {{file_content.kind}} {{file_content.metadata.name}}
+    -o jsonpath='{.metadata.resourceVersion}'
+    -n {{namespace}}
+  register: generation_init
+  failed_when: "'not found' not in generation_init.stderr and generation_init.stdout == ''"
+  changed_when: no
+
+- name: Applying {{file_name}}
+  command: >
+    {{ openshift.common.client_binary }} --config={{ kubeconfig }}
+    apply -f {{ file_name }}
+    -n {{ namespace }}
+  register: generation_apply
+  failed_when: "'error' in generation_apply.stderr"
+  changed_when: no
+
+- name: Determine change status of {{file_content.kind}} {{file_content.metadata.name}}
+  command: >
+    {{ openshift.common.client_binary }} --config={{ kubeconfig }}
+    get {{file_content.kind}} {{file_content.metadata.name}}
+    -o jsonpath='{.metadata.resourceVersion}'
+    -n {{namespace}}
+  register: generation_changed
+  failed_when: "'not found' not in generation_changed.stderr and generation_changed.stdout == ''"
+  changed_when: generation_changed.stdout | default (0) | int  > generation_init.stdout | default(0) | int
+  when:
+    - "'field is immutable' not in generation_apply.stderr"
+
+- name: Removing previous {{file_name}}
+  command: >
+    {{ openshift.common.client_binary }} --config={{ kubeconfig }}
+    delete -f {{ file_name }}
+    -n {{ namespace }}
+  register: generation_delete
+  failed_when: "'error' in generation_delete.stderr"
+  changed_when: generation_delete.rc == 0
+  when: generation_apply.rc != 0
+
+- name: Recreating {{file_name}}
+  command: >
+    {{ openshift.common.client_binary }} --config={{ kubeconfig }}
+    apply -f {{ file_name }}
+    -n {{ namespace }}
+  register: generation_apply
+  failed_when: "'error' in generation_apply.stderr"
+  changed_when: generation_apply.rc == 0
+  when: generation_apply.rc != 0
diff --git a/roles/openshift_provisioners/tasks/start_cluster.yaml b/roles/openshift_provisioners/tasks/start_cluster.yaml
new file mode 100644
index 000000000..ee7f545a9
--- /dev/null
+++ b/roles/openshift_provisioners/tasks/start_cluster.yaml
@@ -0,0 +1,20 @@
+---
+- name: Retrieve efs
+  oc_obj:
+    state: list
+    kind: dc
+    selector: "provisioners-infra=efs"
+    namespace: "{{openshift_provisioners_project}}"
+  register: efs_dc
+  when: openshift_provisioners_efs | bool
+
+- name: start efs
+  oc_scale:
+    kind: dc
+    name: "{{ object }}"
+    namespace: "{{openshift_provisioners_project}}"
+    replicas: 1
+  with_items: "{{ efs_dc.results.results[0]['items'] | map(attribute='metadata.name') | list }}"
+  loop_control:
+    loop_var: object
+  when: openshift_provisioners_efs | bool
diff --git a/roles/openshift_provisioners/tasks/stop_cluster.yaml b/roles/openshift_provisioners/tasks/stop_cluster.yaml
new file mode 100644
index 000000000..30b6b12c8
--- /dev/null
+++ b/roles/openshift_provisioners/tasks/stop_cluster.yaml
@@ -0,0 +1,20 @@
+---
+- name: Retrieve efs
+  oc_obj:
+    state: list
+    kind: dc
+    selector: "provisioners-infra=efs"
+    namespace: "{{openshift_provisioners_project}}"
+  register: efs_dc
+  when: openshift_provisioners_efs | bool
+
+- name: stop efs
+  oc_scale:
+    kind: dc
+    name: "{{ object }}"
+    namespace: "{{openshift_provisioners_project}}"
+    replicas: 0
+  with_items: "{{ efs_dc.results.results[0]['items'] | map(attribute='metadata.name') | list }}"
+  loop_control:
+    loop_var: object
+  when: openshift_provisioners_efs | bool
diff --git a/roles/openshift_provisioners/tasks/uninstall_provisioners.yaml b/roles/openshift_provisioners/tasks/uninstall_provisioners.yaml
new file mode 100644
index 000000000..0be4bc7d2
--- /dev/null
+++ b/roles/openshift_provisioners/tasks/uninstall_provisioners.yaml
@@ -0,0 +1,43 @@
+---
+- name: stop provisioners
+  include: stop_cluster.yaml
+
+# delete the deployment objects that we had created
+- name: delete provisioner api objects
+  command: >
+    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig
+    delete {{ item }} --selector provisioners-infra -n {{ openshift_provisioners_project }} --ignore-not-found=true
+  with_items:
+    - dc
+  register: delete_result
+  changed_when: delete_result.stdout.find("deleted") != -1 and delete_result.rc == 0
+
+# delete our old secrets
+- name: delete provisioner secrets
+  command: >
+    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig
+    delete secret {{ item }} -n {{ openshift_provisioners_project }} --ignore-not-found=true
+  with_items:
+    - provisioners-efs
+  ignore_errors: yes
+  register: delete_result
+  changed_when: delete_result.stdout.find("deleted") != -1 and delete_result.rc == 0
+
+# delete cluster role bindings
+- name: delete cluster role bindings
+  command: >
+    {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig
+    delete clusterrolebindings {{ item }} -n {{ openshift_provisioners_project }} --ignore-not-found=true
+  with_items:
+    - run-provisioners-efs
+  register: delete_result
+  changed_when: delete_result.stdout.find("deleted") != -1 and delete_result.rc == 0
+
+# delete our service accounts
+- name: delete service accounts
+  oc_serviceaccount:
+    name: "{{ item }}"
+    namespace: "{{ openshift_provisioners_project }}"
+    state: absent
+  with_items:
+    - provisioners-efs
-- 
cgit v1.2.3