Add deploy-crc-cloud Ansible role

The Ansible tool might handle in better way how to deploy the
CRC cloud.
NOTE: The Ansible role can be optimized and it would be done
in next pull requests. This commit just adds same functionality
as it is done in clustersetup.sh script.

Signed-off-by: Daniel Pawlik <[email protected]>

Author: danpawlik

ansible/README.md

@@ -0,0 +1,73 @@
+# Deploy CRC cloud directly on CRC host
+
+## Introduction
+
+The CRC cloud tool deploys the CRC host using its own binary, but it
+requires access to the cloud provider credentials. That functionality
+is useless when the CRC cloud needs to be used in external CI, where
+the crc-cloud tool can not be used - especially when the CI is responsible
+to check how many VMs are spawned or checking job results.
+
+## CRC QCOW2 image
+
+There is a simple way to bootstrap the CRC without using the crc-cloud
+tool and upload it to your cloud provider:
+
+- download libvirt bundle (you can see url when crc is in debug mode)
+- extract libvirt bundle using tar command with zst:
+
+```shell
+tar xaf crc_libvirt_$VERSION_amd64.crcbundle
+```
+
+- upload crc.qcow2 image to your cloud provider
+- take the id_ecdsa_crc file located in the root directory of
+  the extracted crcbundle archive after unpacking the crcbundle file
+
+## Bootstrap crc-cloud directly on host
+
+Now after spawning VM using the `crc.qcow2` image:
+
+- prepare `inventory.yaml` file:
+
+```shell
+CRC_VM_IP=<ip address>
+
+cat << EOF > inventory.yaml
+---
+all:
+  hosts:
+    crc:
+      ansible_port: 22
+      ansible_host: $CRC_VM_IP
+      ansible_user: core
+      ansible_ssh_private_key_file: upacked_crcbundle_dir/id_ecdsa
+  vars:
+    alternative_domain: true
+    pass_developer: 12345678
+    pass_kubeadmin: 12345678
+    pass_redhat: 12345678
+    openshift_pull_secret: |
+      < PULL SECRET >
+EOF
+```
+
+- clone crc-cloud project
+
+```shell
+git clone https://github.com/crc-org/crc-cloud
+```
+
+- run playbook to bootstrap the container that later would start deploy-crc-cloud role
+
+```shell
+ansible-playbook -i inventory.yaml crc-cloud/ansible/playbooks/bootstrap.yaml
+```
+
+Then just wait until the bootstrap container finish :)
+You can follow Ansible execution steps by checking the container logs
+on the remote CRC host:
+
+```shell
+sudo podman logs -f crc-cloud-bootstrap
+```

ansible/playbooks/bootstrap.yaml

@@ -0,0 +1,6 @@
+---
+- name: Prepare crc-cloud bootstrap container
+  gather_facts: true
+  hosts: crc
+  roles:
+    - crc-bootstrap

ansible/playbooks/roles

@@ -0,0 +1 @@
+../roles

ansible/playbooks/start.yaml

@@ -0,0 +1,6 @@
+---
+- name: Start crc-cloud
+  gather_facts: true
+  hosts: crc
+  roles:
+    - deploy-crc-cloud

ansible/roles/crc-bootstrap/defaults/main.yaml

@@ -0,0 +1,2 @@
+---
+bootstrap_dir: /var/tmp/crc-bootstrap

ansible/roles/crc-bootstrap/files/Dockerfile

@@ -0,0 +1,17 @@
+FROM quay.io/centos/centos:stream9
+
+RUN dnf install -y ansible-core sudo && \
+    ansible-galaxy collection install community.general \
+    community.crypto ansible.posix \
+    kubernetes.core
+
+
+RUN groupadd --gid 1000 user && \
+    useradd --uid 1000 --gid 1000 -d /home/user user
+COPY entrypoint.sh /home/user/entrypoint.sh
+RUN chown -R user:user /home/user && chmod +x /home/user/entrypoint.sh
+
+USER user
+
+WORKDIR /home/user
+ENTRYPOINT ["/home/user/entrypoint.sh"]

ansible/roles/crc-bootstrap/files/entrypoint.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+echo "Check if inventory.yaml exists..."
+if [ -f "inventory.yaml" ]; then
+    echo "Starting Ansible..."
+    export ANSIBLE_HOST_KEY_CHECKING=False
+    export ANSIBLE_LOG_PATH=/home/user/ansible-logs/ansible.log
+    ansible-playbook -i inventory.yaml crc-cloud/ansible/playbooks/start.yaml
+else
+    echo "Could not find inventory file. Exit"
+    exit 1
+fi

ansible/roles/crc-bootstrap/tasks/main.yaml

@@ -0,0 +1,105 @@
+---
+- name: Create bootstrap dir
+  ansible.builtin.file:
+    path: "{{ bootstrap_dir }}"
+    state: directory
+    owner: 1000
+    group: 1000
+    mode: '0755'
+
+- name: Clone crc-cloud repository
+  ansible.builtin.git:
+    repo: https://github.com/crc-org/crc-cloud
+    dest: "{{ bootstrap_dir }}/crc-cloud"
+    version: main
+
+- name: Check if bootstrap ssh key exists
+  ansible.builtin.stat:
+    path: "{{ bootstrap_dir }}/crc-cloud-bootstrap.pub"
+  register: _bootstrap_ssh_key
+
+- name: Generate ssh keypair
+  when: not _bootstrap_ssh_key.stat.exists
+  community.crypto.openssh_keypair:
+    path: "{{ bootstrap_dir }}/crc-cloud-bootstrap"
+    type: ed25519
+    state: present
+    owner: 1000
+    group: 1000
+    mode: '0600'
+
+- name: Set SELinux context for SSH key
+  ansible.builtin.command: chcon -t ssh_home_t "{{ bootstrap_dir }}/crc-cloud-bootstrap"
+  when: not _bootstrap_ssh_key.stat.exists
+
+- name: Get public key content
+  ansible.builtin.command: cat "{{ bootstrap_dir }}/crc-cloud-bootstrap.pub"
+  register: _pub_key
+
+- name: Add generated key to authorized keys
+  ansible.posix.authorized_key:
+    user: "{{ ansible_user }}"
+    key: "{{ _pub_key.stdout }}"
+    path: .ssh/authorized_keys.d/ignition
+    state: present
+
+- name: Create entrypoint file
+  ansible.builtin.copy:
+    src: entrypoint.sh
+    dest: "{{ bootstrap_dir }}/entrypoint.sh"
+    owner: 1000
+    group: 1000
+    mode: '0755'
+
+- name: Prepare Dockerfile
+  ansible.builtin.copy:
+    src: Dockerfile
+    dest: "{{ bootstrap_dir }}/Dockerfile"
+
+- name: Create inventory file
+  ansible.builtin.template:
+    src: inventory.yaml.j2
+    dest: "{{ bootstrap_dir }}/inventory.yaml"
+    owner: 1000
+    group: 1000
+    mode: '0644'
+
+- name: Create Ansible log directory
+  ansible.builtin.file:
+    path: "{{ bootstrap_dir }}/{{ item }}"
+    state: directory
+    owner: 1000
+    group: 1000
+    mode: '0755'
+  loop:
+    - ansible-logs
+    - .kube
+
+- name: Set SELinux context for directories
+  ansible.builtin.command: >
+    chcon -R -t container_file_t "{{ bootstrap_dir }}/{{ item }}"
+  loop:
+    - ansible-logs
+    - .kube
+
+- name: Build bootstrap container
+  become: true
+  ansible.builtin.shell: |
+    podman build -t crc-cloud-bootstrap -f {{ bootstrap_dir }}/Dockerfile
+
+- name: Create container to bootstrap
+  become: true
+  ansible.builtin.shell: >
+    podman create --name crc-cloud-bootstrap
+    --network host
+    -v "{{ bootstrap_dir }}/crc-cloud-bootstrap:/home/user/.ssh/id_ed25519:Z"
+    -v "{{ bootstrap_dir }}/inventory.yaml:/home/user/inventory.yaml:Z"
+    -v "{{ bootstrap_dir }}/crc-cloud:/home/user/crc-cloud:Z"
+    -v "{{ bootstrap_dir }}/ansible-logs:/home/user/ansible-logs:Z"
+    -v "{{ bootstrap_dir }}/.kube:/home/user/.kube:Z"
+    crc-cloud-bootstrap /home/user/entrypoint.sh
+
+- name: Start the container
+  become: true
+  ansible.builtin.shell: |
+    podman start crc-cloud-bootstrap

ansible/roles/crc-bootstrap/templates/inventory.yaml.j2

@@ -0,0 +1,11 @@
+---
+all:
+  hosts:
+    crc:
+      ansible_port: 22
+      ansible_host: {{ ansible_default_ipv4.address }}
+      ansible_user: core
+      ansible_ssh_private_key_file: /home/user/.ssh/id_ed25519
+  vars:
+    openshift_pull_secret: |
+      {{ openshift_pull_secret }}

ansible/roles/deploy-crc-cloud/defaults/main.yaml

@@ -0,0 +1,33 @@
+---
+dnsmasq_conf_path: /etc/dnsmasq.d/crc-dnsmasq.conf
+openshift_pull_secret: ""
+eip: crc.dev
+alternative_domain: nip.io
+
+# wait for resource
+max_retry: 20
+wait_interval: 5
+
+# wait cluster become healthy
+max_retries: 20
+retry_delay: 5
+
+pass_developer: _PASS_DEVELOPER_
+pass_kubeadmin: _PASS_KUBEADMIN_
+pass_redhat: _PASS_REDHAT_
+
+users:
+  - name: developer
+    password: "{{ pass_developer }}"
+  - name: kubeadmin
+    password: "{{ pass_kubeadmin }}"
+  - name: redhat
+    password: "{{ pass_redhat }}"
+
+# replace default ca
+ca_user: "system:admin"
+ca_group: "system:masters"
+ca_user_subj: "/O=${GROUP}/CN=${USER}"
+ca_name: "custom"
+ca_subj: "/OU=openshift/CN=admin-kubeconfig-signer-custom"
+ca_validity: 3650

ansible/roles/deploy-crc-cloud/tasks/console_route.yaml

@@ -0,0 +1,16 @@
+---
+# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L282
+- name: Get route to console custom
+  ansible.builtin.shell: |
+    oc get route console-custom -n openshift-console
+  register: _route_console_custom
+  until: _route_console_custom.rc != 1
+  retries: 60
+  delay: 10
+  changed_when: false
+
+- name: Get console route
+  ansible.builtin.shell: >
+    oc get route console-custom
+    -n openshift-console
+    -o json | jq -r '.spec.host'

ansible/roles/deploy-crc-cloud/tasks/create_certificate_and_patch_secret.yaml

@@ -0,0 +1,20 @@
+---
+# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L185
+- name: Create alternative cert
+  ansible.builtin.shell: >
+    openssl req
+    -newkey rsa:2048
+    -new -nodes
+    -x509
+    -days 3650
+    -keyout nip.key
+    -out nip.crt
+    -subj "/CN={{ eip }}.{{ alternative_domain }}"
+    -addext "subjectAltName=DNS:apps.{{ eip }}.{{ alternative_domain }},DNS:*.apps.{{ eip }}.{{ alternative_domain }},DNS:api.{{ eip }}.{{ alternative_domain }}"
+
+- name: "Create secret for {{ alternative_domain }}"
+  ansible.builtin.command: >
+    oc create secret tls nip-secret
+    --cert=nip.crt
+    --key=nip.key
+    -n openshift-config

ansible/roles/deploy-crc-cloud/tasks/dnsmasq.yaml

@@ -0,0 +1,51 @@
+---
+# From https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L101
+- name: Create crc-dnsmasq.conf
+  become: true
+  ansible.builtin.copy:
+    content: |
+      listen-address={{ ansible_default_ipv4.address }}
+      expand-hosts
+      log-queries
+      local=/crc.testing/
+      domain=crc.testing
+      address=/apps-crc.testing/{{ ansible_default_ipv4.address }}
+      address=/api.crc.testing/{{ ansible_default_ipv4.address }}
+      address=/api-int.crc.testing/{{ ansible_default_ipv4.address }}
+      address=/{{ ansible_fqdn }}.crc.testing/192.168.126.11
+    dest: "{{ dnsmasq_conf_path }}"
+  register: _dnsmasq_conf
+
+- name: Set this host as first nameserver in /etc/resolv.conf
+  become: true
+  ansible.builtin.lineinfile:
+    path: /etc/resolv.conf
+    regexp: '^# Generated by NetworkManager'
+    line: "nameserver {{ item }}"
+    create: true
+  loop: "{{ [ansible_default_ipv4.address] + ansible_facts['dns']['nameservers'] | flatten }}"
+  register: _etc_resolv
+
+- name: Disable overwriting /etc/resolv.conf by the NetworkManager
+  become: true
+  ansible.builtin.copy:
+    content: |
+      [main]
+      dns=none
+    dest: /etc/NetworkManager/conf.d/00-custom-crc.conf
+  register: _disable_dns_overwrite
+
+- name: Restart NetworkManager when its needed
+  when: _disable_dns_overwrite.changed
+  become: true
+  ansible.builtin.systemd:
+    name: NetworkManager
+    state: restarted
+
+- name: Restart dnsmasq
+  when: _etc_resolv.changed
+  become: true
+  ansible.builtin.systemd:
+    name: dnsmasq
+    state: restarted
+    enabled: true

ansible/roles/deploy-crc-cloud/tasks/get_htpasswd.yaml

@@ -0,0 +1,26 @@
+---
+- name: Create temporary directory
+  ansible.builtin.tempfile:
+    state: directory
+  register: _temp_dir
+
+- name: Create Dockerfile
+  ansible.builtin.copy:
+    content: |
+      FROM quay.io/centos/centos:stream9-minimal
+      RUN microdnf --setopt=tsflags=nodocs --setopt=install_weak_deps=0 install -y httpd-tools
+      ENTRYPOINT ["htpasswd", "-Bbn"]
+    dest: "{{ _temp_dir.path }}/Dockerfile"
+
+- name: Build container image for htpasswd
+  ansible.builtin.command: |
+    podman build -t localhost/htpasswd:latest -f {{ _temp_dir.path }}/Dockerfile
+
+- name: "Get htpasswd for {{ user.name }}"
+  ansible.builtin.shell: |
+     podman run --rm -ti localhost/htpasswd:latest {{ user.name }} {{ user.password }} >> htpasswd.txt
+
+- name: Remove temporary directory
+  ansible.builtin.file:
+    path: "{{ _temp_dir.path }}"
+    state: absent