Skip to content
Permalink
Browse files

Update origin-gce to support Ansible 2.4

Also clean up base images in preparation for bootstrapping
  • Loading branch information...
smarterclayton committed Oct 29, 2017
1 parent 67eb85e commit f7bc4835b0ffd8d85de2ffe34c895912185e2879
@@ -34,21 +34,17 @@ ENV WORK=/usr/share/ansible/openshift-ansible-gce \
GOOGLE_CLOUD_SDK_VERSION=147.0.0 \
ANSIBLE_JUNIT_DIR=/tmp/openshift/ansible_junit

# meta refresh_inventory has a bug in 2.2.0 where it uses relative path
# remove when fixed
ENV ANSIBLE_INVENTORY=$WORK/inventory/hosts

# package atomic-openshift-utils missing
RUN mkdir -p /usr/share/ansible $HOME/.ssh $WORK/playbooks/files && \
ln -s $WORK/playbooks/files/ssh-privatekey $HOME/.ssh/google_compute_engine && \
ln -s $WORK/playbooks/files/ssh-publickey $HOME/.ssh/google_compute_engine.pub && \
INSTALL_PKGS="openssl gettext sudo epel-release" && \
yum install -y $INSTALL_PKGS && \
rpm -V $INSTALL_PKGS && \
INSTALL_PKGS="python-dns python2-libcloud python2-pip pyOpenSSL openssl gettext sudo" && \
INSTALL_PKGS="gcc python-devel python-dns python2-pip pyOpenSSL openssl gettext sudo" && \
yum install -y $INSTALL_PKGS && \
rpm -V $INSTALL_PKGS && \
pip install junit_xml && \
pip install junit_xml pycrypto apache-libcloud && \
yum install -y ansible && \
yum clean all && \
cd /usr/share/ansible && \
@@ -66,11 +62,7 @@ RUN mkdir -p /usr/share/ansible $HOME/.ssh $WORK/playbooks/files && \
sed -r -i 's/^#?stdout_callback.*/stdout_callback = default_with_output_lists/' /etc/ansible/ansible.cfg && \
curl -sS https://raw.githubusercontent.com/openshift/origin-ci-tool/master/oct/ansible/oct/callback_plugins/generate_junit.py > /usr/share/ansible/plugins/callback/generate_junit.py && \
sed -r -i 's/^#?callback_whitelist.*/callback_whitelist = generate_junit/' /etc/ansible/ansible.cfg && \
chmod -R g+w /usr/share/ansible $HOME /etc/passwd && \
cd /usr/lib/python2.7/site-packages/libcloud && \
curl -sS https://patch-diff.githubusercontent.com/raw/apache/libcloud/pull/1010.patch > /tmp/patch && \
sudo patch -p2 < /tmp/patch && \
rm /tmp/patch
chmod -R g+w /usr/share/ansible $HOME /etc/passwd

WORKDIR $WORK
ENTRYPOINT ["/usr/share/ansible/openshift-ansible-gce/entrypoint.sh"]
@@ -5,7 +5,7 @@ forks = 50
# work around privilege escalation timeouts in ansible
timeout = 30
host_key_checking = False
hostfile = inventory/hosts
inventory = inventory/hosts.sh
remote_user = cloud-user
private_key_file = /home/cloud-user/.ssh/google_compute_engine
gathering = smart
@@ -21,10 +21,12 @@ roles_path = /usr/share/ansible/openshift-ansible/roles
[privilege_escalation]
become = True

[connection]
# If your image has requiretty set, you must disable pipelining
pipelining = True

[ssh_connection]
ssh_args = -o ControlMaster=auto -o ControlPersist=900s -o GSSAPIAuthentication=no
control_path = /var/tmp/%%h-%%r
# If your image has requiretty set, you must disable pipelining
pipelining = True
# Initial setup of GCE can fail to make an SSH connection
retries = 20
@@ -25,6 +25,15 @@ if ! whoami &>/dev/null; then
fi
fi

# Provide a "files_dir" variable that points to playbooks/files
mkdir -p "${WORK}/inventory/group_vars/all"
echo "files_dir: ${WORK}/playbooks/files" > "${WORK}/inventory/group_vars/all/00_default_files_dir.yaml"

# Set inventory_dir for legacy support for old configs - Ansible 2.4 no longer has inventory_dir set on
# localhost
# DEPRECATED: will be removed when all config switches over
mkdir -p "${WORK}/inventory/host_vars/localhost"
echo "inventory_dir: ${WORK}/inventory" > "${WORK}/inventory/host_vars/localhost/01_default_inventory_dir.yaml"
find "${WORK}/playbooks/files" | xargs -L1 -I {} ln -fs {} "${WORK}/inventory/"
find "${WORK}/playbooks/files" -name *.yaml -or -name vars | xargs -L1 -I {} ln -fs {} "${WORK}/inventory/group_vars/all"

File renamed without changes.
@@ -24,8 +24,8 @@

- name: Launch the image build instance
gce:
service_account_email: "{{ (lookup('file', gce_service_account_keyfile ) | from_json ).client_email }}"
credentials_file: "{{ gce_service_account_keyfile }}"
service_account_email: "{{ (lookup('file', openshift_gcp_iam_service_account_keyfile ) | from_json ).client_email }}"
credentials_file: "{{ openshift_gcp_iam_service_account_keyfile }}"
project_id: "{{ openshift_gcp_project }}"
zone: "{{ openshift_gcp_zone }}"
machine_type: n1-standard-1
@@ -1,5 +1,6 @@
---
- hosts: localhost
- name: Verify prerequisites for image build
hosts: localhost
connection: local
gather_facts: no
tasks:
@@ -16,6 +17,7 @@
- name: Set facts
set_fact:
openshift_node_bootstrap: True
openshift_master_unsupported_embedded_etcd: True

- name: Create the image instance disk
gce_pd:
@@ -31,8 +33,8 @@

- name: Launch the image build instance
gce:
service_account_email: "{{ (lookup('file', gce_service_account_keyfile ) | from_json ).client_email }}"
credentials_file: "{{ gce_service_account_keyfile }}"
service_account_email: "{{ (lookup('file', openshift_gcp_iam_service_account_keyfile ) | from_json ).client_email }}"
credentials_file: "{{ openshift_gcp_iam_service_account_keyfile }}"
project_id: "{{ openshift_gcp_project }}"
zone: "{{ openshift_gcp_zone }}"
machine_type: n1-standard-1
@@ -60,26 +62,19 @@
timeout: 120
with_items: "{{ gce.instance_data }}"

- name: normalize groups
include: /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/initialize_groups.yml

- name: run the std_include
include: /usr/share/ansible/openshift-ansible/playbooks/common/openshift-cluster/evaluate_groups.yml

- name: run the std_include
include: /usr/share/ansible/openshift-ansible/playbooks/common/openshift-cluster/initialize_facts.yml

- name: run the std_include
include: /usr/share/ansible/openshift-ansible/playbooks/common/openshift-cluster/initialize_openshift_repos.yml

- name: run node config setup
include: /usr/share/ansible/openshift-ansible/playbooks/common/openshift-node/setup.yml
- hosts: nodes
tasks:
- name: Set facts
set_fact:
openshift_node_bootstrap: True

- name: run node config
include: /usr/share/ansible/openshift-ansible/playbooks/common/openshift-node/configure_nodes.yml
- import_playbook: /usr/share/ansible/openshift-ansible/playbooks/common/openshift-node/image_prep.yml

- name: Re-enable excluders
include: /usr/share/ansible/openshift-ansible/playbooks/common/openshift-node/enable_excluders.yml
- hosts: nodes
roles:
- gce-docker-storage-setup
- gce-cloudconfig
- frequent-log-rotation

- name: Commit image
hosts: localhost
@@ -5,9 +5,8 @@
roles:
- gce-instance-groups

- hosts: cluster_hosts
- hosts: nodes
roles:
#- gce-cluster-variables
- gce-docker-storage-setup
- gce-cloudconfig
- frequent-log-rotation
@@ -19,9 +18,8 @@
- stat: path=/usr/share/ansible/openshift-ansible/playbooks/common/openshift-cluster/std_include.yml
register: std_include
become: no
- include: /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/initialize_groups.yml
- include: /usr/share/ansible/openshift-ansible/playbooks/common/openshift-cluster/std_include.yml
when: hostvars['localhost']['std_include'].stat.exists
- import_playbook: /usr/share/ansible/openshift-ansible/playbooks/byo/openshift-cluster/initialize_groups.yml
- import_playbook: /usr/share/ansible/openshift-ansible/playbooks/common/openshift-cluster/std_include.yml

- hosts: masters
gather_facts: no
@@ -32,7 +30,7 @@
- service: master http proxy
port: 8080/tcp

- include: /usr/share/ansible/openshift-ansible/playbooks/byo/config.yml
- import_playbook: /usr/share/ansible/openshift-ansible/playbooks/byo/config.yml

- hosts: primary_master
gather_facts: no
@@ -43,6 +41,12 @@
dest: "/tmp/"
flat: yes

- hosts: masters
gather_facts: no
roles:
- role: gce-master-bootstrap
when: openshift_master_bootstrap_enabled | default(False)

- hosts: primary_master
gather_facts: no
roles:
@@ -61,14 +65,6 @@
retries: 6
delay: 5

- hosts: infra_nodes
gather_facts: no
roles:
- role: /usr/share/ansible/openshift-ansible/roles/os_firewall
os_firewall_allow:
- service: router liveness probe
port: 1936/tcp

- hosts: app_nodes
gather_facts: no
roles:
@@ -30,7 +30,7 @@ openshift_node_port_range: 30000-32000
# Authentication and authorization

# By default reads the identity-providers.json file from the data directory (since identity providers often include secrets).
openshift_master_identity_providers: "{{ (lookup('file', inventory_dir + 'identity-providers.json' ) | default('{\"items\":[]}') | from_json).get('items') }}"
openshift_master_identity_providers: "{{ (lookup('file', files_dir + 'identity-providers.json' ) | default('{\"items\":[]}') | from_json).get('items') }}"
# A set of initial roles to bootstrap the cluster with to bypass the need to copy the cluster-admin configuration file.
# Set to empty array for no defaults.
provision_role_mappings: [{'user': 'my-user', 'role': 'cluster-admin'}]
@@ -51,64 +51,41 @@ openshift_schedulable: True
# GCE provisioning info

# Project ID and zone settings for Google Cloud
gce_project_id: openshift-gce-devel
gce_region_name: us-central1
gce_zone_name: us-central1-a
openshift_gcp_project: openshift-gce-devel
openshift_gcp_region: us-central1
openshift_gcp_zone: us-central1-a
# A GCE service account JSON file that has sufficient permission to provision all instances
# on the cluster and to also act as the cloud provider (create service load balancers, set
# routes, provision PVs). You may restrict the permission of the account after creation.
gce_service_account_keyfile: "{{ inventory_dir }}/gce.json"
openshift_gcp_iam_service_account_keyfile: "{{ files_dir }}/gce.json"
# The path to the private key on the host. If using the Docker image, this is set up by
# default to match "ssh-privatekey" and "ssh-publickey" from the data directory. If those
# files are not present, a unique key pair is generated and added to the project.
gce_ssh_private_key: /home/cloud-user/.ssh/google_compute_engine
openshift_gcp_ssh_private_key: /home/cloud-user/.ssh/google_compute_engine
# GCE service account JSON file that must have permission to read and write from the bucket
# named by provision_gce_registry_gcs_bucket. May be the same as gce_service_account_keyfile, but
# named by provision_gce_registry_gcs_bucket. May be the same as openshift_gcp_iam_service_account_keyfile, but
# not recommended.
gcs_registry_keyfile: "gcs-registry.json"
openshift_gcp_registry_bucket_keyfile: "gcs-registry.json"
# Required to be external unless a custom inventory is used
inventory_ip_type: external

# Extra tags to add to each instance template, must start with a comma
gce_extra_tags_master: ",preserve"
gce_extra_tags_node: ",preserve"
gce_extra_tags_node_infra: ",preserve"

# The sizes of instances to create
provision_gce_machine_type_master: n1-standard-2
provision_gce_machine_type_node: n1-standard-2
provision_gce_machine_type_node_infra: n1-standard-2

# The instance sizes of each group. If node-infra is 0, you must set
# provision_gce_router_network_instance_group to ig-m
provision_gce_instance_group_size_master: 1
provision_gce_instance_group_size_node_infra: 0
provision_gce_instance_group_size_node: 2

# The size of disks attached to each node. The Docker disk is for images and containers, the OpenShift
# disk is for empty dir volumes and local storage.
provision_gce_disk_size_node_docker: 25
provision_gce_disk_size_node_openshift: 50

# Provision prefix is a common identifier placed at the beginning of ALL GCE resource names
# to allow multiple clusters to be deployed in one GCE project.
provision_prefix: my-cluster-
openshift_gcp_prefix: my-cluster-
# Network name is a configuration parameter that is used by the cloud provider to provision
# service load balancers.
gce_network_name: "my-cluster-ocp-network"
openshift_gcp_network_name: "my-cluster-ocp-network"

# An image that is registered with the appropriate subscriptions (for RHEL) or
# Red Hat.
provision_gce_registered_image: rhel-guest-image-7-2-20160302-0-x86-64-registered
openshift_gcp_image: rhel-guest-image-7-2-20160302-0-x86-64-registered

# The name of a GCS bucket to create for the registry in the current project
provision_gce_registry_gcs_bucket: my-cluster-registry-storage
openshift_hosted_registry_storage_gcs_bucket: my-cluster-registry-storage

# Control which node group router traffic is targeted at. You may set this to ig-m to point
# to the master.
provision_gce_router_network_instance_group: ig-m # or: ig-i
openshift_gcp_infra_network_instance_group: ig-m # or: ig-i

# Provide a startup script file to the GCE instances
provision_gce_startup_script_file:
# Provide userdata to the gce instances
provision_gce_user_data_file:
openshift_gcp_startup_script_file:
@@ -1,9 +1,9 @@
# This playbook launches a new cluster or converges it if already launched

- include: provision.yaml
- import_playbook: provision.yaml

- hosts: localhost
tasks:
- meta: refresh_inventory

- include: configure.yaml
- import_playbook: configure.yaml
@@ -1,7 +1,7 @@
#!/bin/sh

export GCE_PROJECT="{{ gce_project_id }}"
export GCE_ZONE="{{ gce_zone_name }}"
export GCE_PROJECT="{{ openshift_gcp_project }}"
export GCE_ZONE="{{ openshift_gcp_zone }}"
export GCE_EMAIL="{{ (lookup('file', openshift_gcp_iam_service_account_keyfile ) | from_json ).client_email }}"
export GCE_PEM_FILE_PATH="/tmp/gce.pem"
export INVENTORY_IP_TYPE="{{ inventory_ip_type }}"
@@ -2,41 +2,42 @@
- name: Add masters to requisite groups
add_host:
name: "{{ hostvars[item].gce_name }}"
groups: masters, etcd, nodes, cluster_hosts, infra_nodes
openshift_node_labels:
role: infra
subrole: master
groups: masters, etcd
with_items: "{{ groups['tag_ocp-master'] }}"

- name: Add a master to the primary masters group
add_host:
name: "{{ hostvars[item].gce_name }}"
groups: primary_master
openshift_node_labels:
role: infra
subrole: master
with_items: "{{ groups['tag_ocp-master'].0 }}"

- name: Add infra instances to host group
- name: Add non-bootstrapping master node instances to node group
add_host:
name: "{{ hostvars[item].gce_name }}"
groups: nodes
openshift_node_labels:
role: master
with_items: "{{ groups['tag_ocp-master'] | default([]) | difference(groups['tag_ocp-bootstrap'] | default([])) }}"

- name: Add infra node instances to node group
add_host:
name: "{{ hostvars[item].gce_name }}"
groups: nodes, cluster_hosts, schedulable_nodes, infra_nodes
groups: nodes
openshift_node_labels:
role: infra
subrole: worker
with_items: "{{ groups['tag_ocp-infra-node'] | default([]) }}"
with_items: "{{ groups['tag_ocp-infra-node'] | default([]) | difference(groups['tag_ocp-bootstrap'] | default([])) }}"

- name: Add app instances to host group
- name: Add node instances to node group
add_host:
name: "{{ hostvars[item].gce_name }}"
groups: nodes, cluster_hosts, schedulable_nodes, app_nodes
groups: nodes
openshift_node_labels:
role: app
with_items: "{{ groups['tag_ocp-node'] | default([]) }}"
with_items: "{{ groups['tag_ocp-node'] | default([]) | difference(groups['tag_ocp-bootstrap'] | default([])) }}"

- name: Mark all bootstrap nodes with the right Ansible flag
set_fact:
- name: Add bootstrap node instances
add_host:
name: "{{ hostvars[item].gce_name }}"
openshift_node_bootstrap: True
delegate_to: "{{ hostvars[item].gce_name }}"
delegate_facts: True
with_items: "{{ groups['tag_ocp-bootstrap'] | default([]) }}"
with_items: "{{ groups['tag_ocp-node'] | default([]) | intersect(groups['tag_ocp-bootstrap'] | default([])) }}"
when: not (openshift_node_bootstrap | default(False))
@@ -0,0 +1,10 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: bootstrap-autoapprover
roleRef:
kind: ClusterRole
name: system:node-bootstrap-autoapprover
subjects:
- kind: User
name: system:serviceaccount:openshift-infra:bootstrap-autoapprover

0 comments on commit f7bc483

Please sign in to comment.
You can’t perform that action at this time.