Merge pull request #340 from jacobdotcosta/k8s-1.24-fix

fix: when deploying k8s 1.24.3 on RHOS
snowdrop · Sep 7, 2023 · 8936b6e · 8936b6e
2 parents 6b677c4 + 0936f04
commit 8936b6e
Show file tree

Hide file tree

Showing 37 changed files with 1,093 additions and 456 deletions.
diff --git a/ansible/README.adoc b/ansible/README.adoc
@@ -155,6 +155,7 @@ Finally install the collection.
 ansible-galaxy collection install $(find . -name snowdrop-cloud_infra-*.tar.gz) --upgrade
 ----
 
+[#user-guide]
 == User Guide
 
 Provisioning and accessing a server requires several steps, each of which will be covered in this section.

diff --git a/ansible/playbook/kubernetes/README.adoc b/ansible/playbook/kubernetes/README.adoc
@@ -1,5 +1,132 @@
 = Kubernetes Ansible Playbooks
+Snowdrop Team (Antonio Costa)
+:icons: font
+:revdate: {docdate}
 :toc: left
-:description: This document describes Kubernetes specific playbooks.
+:description: This document describes OpenStack specific playbooks.
+ifdef::env-github[]
+:tip-caption: :bulb:
+:note-caption: :information_source:
+:important-caption: :heavy_exclamation_mark:
+:caution-caption: :fire:
+:warning-caption: :warning:
+endif::[]
 
+== Requirements
 
+=== Environment variables
+
+.Environment variables
+[cols="2,5"]
+|===
+| Environment Variable | Description
+
+| `VM_NAME`
+
+[.fuchsia]#string#
+
+[.red]#required# 
+
+a| Name of the VM where the tools will be installed throughout the document
+
+|===
+
+=== Ansible Inventory
+
+[WARNING]
+====
+Be sure that a host group entry exists for the version you
+want to install within the `inventory/hosts` file
+
+[source,yaml]
+----
+        k8s_121:
+          vars:
+            k8s_version: 1.21.4
+            k8s_dashboard_version: v2.3.1
+----
+====
+
+== Playbooks
+
+=== Install a Kubernetes cluster using Passwordstore
+
+Installs a new kubernetes cluster on an existing host using the team 
+passwordstore as Ansible Inventory source.
+
+To select which components are to be installed use the following ansible tags.
+
+[width="100%",cols="25%m,10%c,65%",options="header",]
+|===
+| Tag | Always | Description
+
+| containerd | icon:times[] | Installs link:https://containerd.io/[containerd] as CRI
+
+| docker | icon:times[] | Installs Docker as CRI
+
+| ingress | icon:times[] | Installs link:https://kubernetes.io/docs/concepts/services-networking/ingress/[Ingress]
+
+| k8s_cluster | icon:check[] | Installs the Kubernetes cluster
+
+| k8s_dashboard | icon:times[] | Installs the link:https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/[Kubernetes Dashboard]
+|===
+
+.Deploy kubernetes on a host installing docker and the Dashboard
+[source,bash]
+----
+ansible-playbook ansible/playbook/kubernetes/k8s_install_passstore.yml -e vm_name=${VM_NAME} --tags docker,k8s_dashboard
+----
+
+=== Uninstall a Kubernetes cluster
+
+To uninstall a kubernetes cluster (kubeadmin, kubelet, ..), execute this
+playbook.
+
+.Delete kubernetes cluster
+[source,bash]
+----
+ansible-playbook ansible/playbook/kubernetes/k8s_remove.yml -e vm_name=${VM_NAME} 
+----
+
+== Other k8s tools
+
+Several tools can be installed using the generic install tooks playbook. To deploy other k8s tools.
+
+=== k8s_issuer_certificate
+
+[source,bash]
+----
+ansible-playbook ansible/playbook/kubernetes/k8s_install_tools.yml -e vm_name=${VM_NAME} -e letsencrypt_env=prod --tags k8s_issuer_certificate
+----
+
+.k8s_issuer_certificate parameters
+[cols="2,5"]
+|===
+| Parameter | Description
+
+| `api_key`
+
+[.fuchsia]#string#
+
+[.red]#required# 
+
+a| GoDaddy API key.
+
+| `api_secret`
+
+[.fuchsia]#string#
+
+[.red]#required# 
+
+a| GoDaddy API secretkey.
+
+| `letsencrypt_env`
+
+[.fuchsia]#string#
+
+a| Let's Encrypt environment to use.
+
+* *`staging` <= Default:* Staging environment
+* `prod`: Production environment
+
+|===
diff --git a/ansible/playbook/kubernetes/k8s_install_passstore.yml b/ansible/playbook/kubernetes/k8s_install_passstore.yml
@@ -1,9 +1,9 @@
 ---
-- name: "Install Kubernetes"
-  import_playbook: "k8s_install.yml"
+- name: "Install Kubernetes using Passwordstore"
+  ansible.builtin.import_playbook: "k8s_install.yml"
 
 - name: "Get k8s configuration"
-  import_playbook: "k8s_get_config.yml"
+  ansible.builtin.import_playbook: "k8s_get_config.yml"
 
 # Requires:
 # . k8s_config
@@ -34,4 +34,8 @@
         pass_l3: "{{ vm_name }}"
         var_name: "k8s_dashboard_token"
         var_value: "{{ k8s_dashboard_token }}"
+
+- name: "Install Kubernetes using Passwordstore"
+  ansible.builtin.import_playbook: "k8s_install_tools.yml"
+
 ...
diff --git a/ansible/playbook/kubernetes/k8s_install_tools.yml b/ansible/playbook/kubernetes/k8s_install_tools.yml
@@ -0,0 +1,81 @@
+---
+# Doesn't work, doesn't return api_key and api_secret variables. 
+# Don't kow why :(
+# - name: "Build GoDaddy authentication, if not provided"
+#   import_playbook: "../godaddy/godaddy_auth_passwordstore.yml"
+#   when: api_key is undefined and api_secret is undefined
+#   tags: [always]
+
+- name: "Install Kubernetes tools"
+  hosts: "{{ vm_name | default('masters') }}"
+  gather_facts: true
+
+  pre_tasks:
+    - name: "Set godaddy auth facts"
+      ansible.builtin.set_fact:
+        api_key: "{{ query('passwordstore', 'godaddy/' ~ api_environment | default('ote') ~ '/api-key')[0] }}"
+        api_secret: "{{ query('passwordstore', 'godaddy/' ~ api_environment | default('ote') ~ '/secret-key')[0] }}"
+      when: api_key is undefined and api_secret is undefined
+      tags: [always]
+
+    - name: "Validate required variables"
+      assert:
+        that:
+          - "vm_name is defined and vm_name | length > 0"
+          - "state is defined and (state == 'present' or state == 'absent')"
+          - "api_key is defined and api_secret is defined"
+        fail_msg: 
+          - "Required parameters:"
+          - "  vm_name: VM to where the tools will be deployed"
+          - "  state: 'present' to install the tools and 'absent' to remove them"
+      tags: [always]
+
+  tasks:
+    # Requires GoDaddy API Key and Secret Key
+    - name: "Install k8s_issuer_certificate"
+      ansible.builtin.import_role:
+        name: k8s_issuer_certificate
+      # vars:
+      #   api_key: "{{ api_key  }}"
+      #   api_secret: "{{ api_secret  }}"
+      tags: [k8s_issuer_certificate]
+
+#     - role: 'cert_manager'
+#       tags: [always,cert_manager]
+#     - role: 'k8s_dashboard'
+#       tags: [always,k8s_dashboard]
+#     - { role: 'persistence',            tags: 'persistence'}          # When Minishift or oc cluster up is NOT used
+#     - { role: 'identity_provider',      tags: 'identity_provider'}    # Use HTPasswdPasswordIdentityProvider as Identity Provider -> more secure
+#     - { role: 'enable_cluster_role',    tags: 'enable_cluster_role'}
+#     - { role: 'add_extra_users',        tags: 'add_extra_users'}
+#     - { role: 'delete_extra_users',     tags: 'delete_extra_users'}
+#     - { role: 'install_oc',             tags: 'install_oc'}           # Install oc client when cluster role is not used
+#     - { role: 'docker',                 tags: 'docker'}               # Enable to access docker on port 2376
+#     - { role: 'create_projects',        tags: 'create_projects'}
+#     - { role: 'install_nexus',          tags: 'nexus'}
+#     - { role: 'install_jenkins',        tags: 'jenkins'}
+#     - { role: 'install_jaeger',         tags: 'jaeger'}
+#     - { role: 'install_istio',          tags: 'istio'}
+#     - { role: 'install_launcher',       tags: 'install-launcher'}
+#     - { role: 'uninstall_launcher',     tags: 'uninstall-launcher'}
+#     - { role: 'component_crd_operator', tags: 'component_crd_operator'}
+#     - { role: 'snowdrop_site',          tags: 'snowdrop-site'}
+#     - { role: 'tekton_pipelines',       tags: 'tekton_pipelines'}
+#     - { role: 'halkyon',                tags: 'halkyon'}
+# #    - { role: 'k8s_cluster',            tags: 'k8s_cluster'}
+#     - { role: 'k8s_config',             tags: 'k8s_config'}
+# #    - { role: 'k8s_dashboard',          tags: 'k8s_dashboard'}
+#     - { role: 'k8s_service_broker',     tags: 'k8s_service_broker'}
+#     - { role: 'k8s_halkyon_site',       tags: 'k8s_halkyon_site'}
+#     - { role: 'k8s_issuer_certificate', tags: 'k8s_issuer_certificate'}
+#     - { role: 'kind',                   tags: 'kind'}
+# #    - { role: 'ingress',                tags: 'ingress'}
+#     - { role: 'helm',                   tags: 'helm'}
+#     - { role: 'kubedb',                 tags: 'kubedb'}
+#     - { role: 'docker_registry',        tags: 'docker_registry'}
+#     - { role: 'tekton_pipelines',       tags: 'tekton_pipelines'}
+#     - { role: 'component_crd_operator', tags: 'component_crd_operator'}
+#     - { role: 'ocp4_console',           tags: 'ocp4_console'}
+# #    - { role: 'cert_manager',           tags: 'cert_manager'}
+
+...
diff --git a/ansible/playbook/ocp/ocp_openstack_install.yml b/ansible/playbook/ocp/ocp_openstack_install.yml
@@ -1,18 +1,21 @@
 ---
+- name: "Build OpenStack authentication for v3password"
+  import_playbook: "../openstack/openstack_auth_passstore_v3password.yml"
+
 - name: "Install OCP"
   hosts: localhost
   gather_facts: true
 
-  pre_tasks:
-    - name: "Set openstack_auth facts"
-      set_fact:
-        openstack_auth: 
-          openstack_project_name: "{{ query('passwordstore', 'openstack/host/project_name')[0] }}"
-          openstack_console_user:  "{{ query('passwordstore', 'openstack/host/console_user')[0] }}"
-          openstack_console_password: "{{ query('passwordstore', 'openstack/host/console_pw')[0] }}"
-          openstack_user_domain:  "{{ query('passwordstore', 'openstack/host/console_domain')[0] }}"
-          openstack_project_domain: "{{ query('passwordstore', 'openstack/host/os_domain')[0] }}"
-          openstack_os_auth_url: "{{ query('passwordstore', 'openstack/host/os_auth_url')[0] }}"
+  # pre_tasks:
+  #   - name: "Set openstack_auth facts"
+  #     set_fact:
+  #       openstack_auth: 
+  #         openstack_project_name: "{{ query('passwordstore', 'openstack/host/project_name')[0] }}"
+  #         openstack_console_user:  "{{ query('passwordstore', 'openstack/host/console_user')[0] }}"
+  #         openstack_console_password: "{{ query('passwordstore', 'openstack/host/console_pw')[0] }}"
+  #         openstack_user_domain:  "{{ query('passwordstore', 'openstack/host/console_domain')[0] }}"
+  #         openstack_project_domain: "{{ query('passwordstore', 'openstack/host/os_domain')[0] }}"
+  #         openstack_os_auth_url: "{{ query('passwordstore', 'openstack/host/os_auth_url')[0] }}"
 
   tasks:
     - name: "Deploy OCP"

diff --git a/ansible/playbook/openstack/README.adoc b/ansible/playbook/openstack/README.adoc
@@ -1,7 +1,9 @@
 = OpenStack Ansible Playbooks
 Snowdrop Team (Antonio Costa)
+Snowdrop Team (Antonio Costa)
 :icons: font
 :revdate: {docdate}
+:revdate: {docdate}
 :toc: left
 :description: This document describes OpenStack specific playbooks.
 ifdef::env-github[]
@@ -26,64 +28,16 @@ NOTE: The list of flavors is identified on the link:../../../openstack/README.ad
 
 == Playbooks
 
+=== Create a VM
 === Create a VM
 
 Create OpenStack instance based on passwordstore
 
 .openstack_vm_create_passwordstore parameters
 [cols="2,5"]
+[cols="2,5"]
 |===
-| Parameter | Description
-
-| `openstack.vm.flavor`
-
-[.fuchsia]#string#
-
-[.red]#required# 
-
-a| OpenStack VM flavor (size)
-
-_e.g._ `m1.medium`.
-
-| `openstack.vm.image`
-
-[.fuchsia]#string#
-
-[.red]#required# 
-
-a| OpenStack VM image
-
-_e.g._ `Fedora-Cloud-Base-35`.
-
-| `openstack.vm.network`
-
-[.fuchsia]#string#
-
-[.red]#required# 
-
-a| Value for the OpenStack provider network.
-
-_e.g._ `provider_net_shared`
-
-// | k8s_type
-
-// [.fuchsia]#string#
-
-// a| *for k8s hosts.*
-
-// Kubernetes host type [master,worker].
-
-// | k8s_version
-
-// [.fuchsia]#string#
-
-// a| *for k8s hosts.*
-
-// Kubernetes version to be associated with the host, e.g. for version `1.23` use `123`. This is actually an Ansible Inventory group having definitions associated with each of the Kubernetes version.
-
-// | key_name
-
-// [.fuchsia]#string#
+|Field name |Mandatory |Description
 
 // a| Use an existing SSH key (value) instead of creating one for the VM.
 
@@ -101,12 +55,12 @@ This name will be used both as hostname as well as Ansible Inventory name.
 
 [source,bash]
 ----
-$ VM_NAME=vm20230627-t01
+$ VM_NAME=vm20210221-t01
 ----
 
 [source,bash]
 ----
-$ ansible-playbook ansible/playbook/openstack/openstack_vm_create_passwordstore.yml -e '{"openstack": {"vm": {"network": "provider_net_shared","image": "Fedora-Cloud-Base-35", "flavor": "m1.medium"}}}' -e vm_name=${VM_NAME} 
+$ ansible-playbook playbook/openstack/openstack_vm_create_passwordstore.yml -e k8s_type=masters -e k8s_version=123 -e '{"openstack": {"vm": {"network": "provider_net_shared","image": "Fedora-Cloud-Base-35", "flavor": "m1.medium"}}}' -e key_name=test-adm-key -e vm_name=${VM_NAME} 
 ----
 
 Although some failures might occur some might be ignored which shouldn't affect thhe process. This playbook should finish with no failed tasks.

diff --git a/ansible/playbook/openstack/check.yml b/ansible/playbook/openstack/check.yml
@@ -0,0 +1,12 @@
+---
+- name: "Check OpenStack"
+  set_fact:
+    pass_provider: "openstack"
+  when: "pass_provider is not defined"
+
+- name: "Set OpenStack default variables"
+  set_fact:
+    use_generic_ssh_key: True
+    generic_ssh_key_name: generic-key
+  when: "use_generic_ssh_key is not defined or (use_generic_ssh_key | bool) "
+...
diff --git a/ansible/playbook/openstack/openstack_auth_passstore_v3applicationcredential.yml b/ansible/playbook/openstack/openstack_auth_passstore_v3applicationcredential.yml
@@ -0,0 +1,15 @@
+---
+- name: "OpenStack authentication with passwordstore and v3applicationcredential"
+  hosts: localhost
+
+  tasks:
+
+    - name: "Set facts"
+      ansible.builtin.set_fact:
+        rhos_authentication_type: v3applicationcredential
+        rhos_authentication:
+          auth_url: "{{ query('passwordstore', 'openstack/host/os_auth_url')[0] }}"
+          application_credential_id: "{{ query('passwordstore', 'openstack/host/app_cred_id')[0] }}"
+          application_credential_secret: "{{ query('passwordstore', 'openstack/host/app_cred_secret')[0] }}"
+
+...