From 12e3133e49ed8083e120bf3338a7ff47fe3bb1ac Mon Sep 17 00:00:00 2001 From: Christopher Chase Date: Fri, 7 Jul 2017 10:09:16 -0400 Subject: [PATCH] Enable service-catalog using oc cluster up option (#83) * Use oc cluster up --service-catalog=true instead of separate service catalog setup. * Fix to use oc and not the older service catalog config * Update openshift config to use openshift_hostname also removed some unused pieces from the service catalog apiserver now being behind the api aggregator --- ansible/reset_environment.yml | 13 +- .../tasks/main.yml | 2 +- ansible/roles/demo_prep/tasks/main.yml | 4 +- ansible/roles/openshift_setup/tasks/main.yml | 172 ++++-------------- .../openshift_setup/templates/extension.j2 | 12 -- ansible/roles/ssl_setup/tasks/main.yml | 46 ----- ansible/setup_environment.yml | 13 +- ansible/setup_local_environment.yml | 5 +- 8 files changed, 46 insertions(+), 221 deletions(-) delete mode 100644 ansible/roles/openshift_setup/templates/extension.j2 diff --git a/ansible/reset_environment.yml b/ansible/reset_environment.yml index 1564a84..7583c50 100644 --- a/ansible/reset_environment.yml +++ b/ansible/reset_environment.yml @@ -34,7 +34,6 @@ - { role: ssl_setup, when: use_ssl == True } - { role: openshift_setup, reset_cluster: True } - env_hacks - - service_catalog_setup - ansible_service_broker_setup - demo_prep post_tasks: @@ -45,13 +44,11 @@ SSH Key Name: {{ ssh_key_name }} Region: {{ aws_region }} Next steps: - 1) Visit https://apiserver-service-catalog.{{ openshift_routing_suffix }} - 2) Accept the certificate - 3) Visit https://{{ openshift_hostname }}:8443 for the console - 4) Provision a RDS APB into awsdemo project - 5) Add to the aws-demo project a Python 3.5 project based off of https://github.com/thesteve0/awsdemo.git - 6) Click on the python project and select creating binding to the RDS APB - 7) Redeploy the python project + 1) Visit https://{{ openshift_hostname }}:8443 for the console + 2) Provision a RDS APB into awsdemo project + 3) Add to the aws-demo project a Python 3.5 project based off of https://github.com/thesteve0/awsdemo.git + 4) Click on the python project and select creating binding to the RDS APB + 5) Redeploy the python project OR For CLI access: oc login --insecure-skip-tls-verify {{ openshift_hostname }}:8443 -u {{ cluster_user }} -p {{ cluster_user_password }} diff --git a/ansible/roles/ansible_service_broker_setup/tasks/main.yml b/ansible/roles/ansible_service_broker_setup/tasks/main.yml index f4bbe57..272d763 100644 --- a/ansible/roles/ansible_service_broker_setup/tasks/main.yml +++ b/ansible/roles/ansible_service_broker_setup/tasks/main.yml @@ -92,4 +92,4 @@ register: ansible_service_broker_template - name: Create Broker resource in Service Catalog - shell: "{{ kubectl_cmd }} --kubeconfig={{ ansible_env.HOME }}/.kube/service-catalog.config create -f /tmp/ansible_service_broker.yaml" + shell: "{{ oc_cmd }} create -f /tmp/ansible_service_broker.yaml" diff --git a/ansible/roles/demo_prep/tasks/main.yml b/ansible/roles/demo_prep/tasks/main.yml index 52209e5..aaaa948 100644 --- a/ansible/roles/demo_prep/tasks/main.yml +++ b/ansible/roles/demo_prep/tasks/main.yml @@ -52,7 +52,7 @@ shell: "{{ oc_cmd }} delete -n {{ demo_project_name }} is demoprep python-35-centos7" - name: check if the rds postgres demo instance exists - shell: "{{ kubectl_cmd }} --kubeconfig=/root/.kube/service-catalog.config get instance -n {{ demo_project_name }} --no-headers=true | awk '{ print $1}' | grep -E '^rds-postgres( |$)' | cat" + shell: "{{ oc_cmd }} get instance -n {{ demo_project_name }} --no-headers=true | awk '{ print $1}' | grep -E '^rds-postgres( |$)' | cat" register: rds_demo_deployment - name: create rds apb resource file @@ -64,5 +64,5 @@ mode: 0644 - name: create rds postgres demo instance - shell: "{{ kubectl_cmd }} --kubeconfig=/root/.kube/service-catalog.config create -f /tmp/rds-instance.yml" + shell: "{{ oc_cmd }} create -f /tmp/rds-instance.yml" when: deploy_rds_demo_instance and rds_demo_deployment.stdout.find( "rds-postgres" ) == -1 diff --git a/ansible/roles/openshift_setup/tasks/main.yml b/ansible/roles/openshift_setup/tasks/main.yml index 30d0745..d3e6782 100644 --- a/ansible/roles/openshift_setup/tasks/main.yml +++ b/ansible/roles/openshift_setup/tasks/main.yml @@ -12,7 +12,7 @@ when: ansible_os_family == "RedHat" - set_fact: - oc_tools_dir: /usr/local/bin + oc_tools_dir: /usr/bin when: ec2_install - set_fact: @@ -99,10 +99,17 @@ state: started when: ec2_install - - name: Resetting cluster, {{ reset_cluster }} + - name: Resetting cluster shell: "{{ oc_cmd }} cluster down" when: reset_cluster + - name: Remove {{ oc_host_config_dir }}/master/master-config.yaml when resetting cluster + file: + path: "{{ oc_host_config_dir }}/master/master-config.yaml" + state: absent + become: true + when: reset_cluster + - name: Install docker through pip as it's a requirement of ansible docker module pip: name: docker @@ -128,15 +135,6 @@ - "{{ docker_images_group1 }}" - "{{ docker_images_group2 }}" - - name: Remove {{ oc_host_config_dir }}/master/master-config.yaml when resetting cluster - file: - path: "{{ oc_host_config_dir }}/master/master-config.yaml" - state: absent - become: true - when: reset_cluster - - # When reset_cluster is True we do not want to have to wait for the extra oc cluster up/down if it's not required - # so we are checking to see if the master-config.yaml exists, if it's there we will skip the extra oc cluster up/down - stat: path: "{{ oc_host_config_dir }}/master/master-config.yaml" register: master_config_stat @@ -145,23 +143,13 @@ path: "{{ oc_host_config_dir }}/console-fullchain.pem" register: console_ssl_stat - - name: Set a fact to tell if SSL was previously configured and now disabled - set_fact: - ssl_changed: True - when: console_ssl_stat.stat.exists and use_ssl == False - - - name: Running oc cluster status - shell: "{{ oc_cmd }} cluster status | cat" - register: oc_cluster_status - - - name: Set a fact to track the first run of oc cluster up + - name: Check to see if we need to use a custom config set_fact: - oc_cluster_up_first_run: False + use_custom_config: "{{use_ssl}}" - - name: This is the first run so set to True + - name: Check to see if we need to regenerate the custom config because something is missing set_fact: - oc_cluster_up_first_run: True - when: "not 'cluster was started' in oc_cluster_status.stdout" + generate_config: "{{use_custom_config and (not master_config_stat.stat.exists or not console_ssl_stat.stat.exists)}}" - name: Create command line for oc cluster up execution set_fact: @@ -172,18 +160,17 @@ --host-pv-dir={{ persistedvol_mount_point }} --image={{ origin_image_name }} --version={{ origin_image_tag }} - --host-config-dir={{ oc_host_config_dir }} + {% if use_custom_config %}--host-config-dir={{ oc_host_config_dir }}{% endif %} + --service-catalog=true - debug: - msg: "Looking at oc cluster up command: '{{ oc_cluster_up_cmd }}'" + var: use_custom_config - # Intent of this oc cluster up is generate the master-config.yaml so we can make edits to it - - name: Run oc cluster up - shell: "{{ oc_cluster_up_cmd }}" - when: (oc_cluster_up_first_run and not master_config_stat.stat.exists) or ssl_changed is defined + - debug: + var: generate_config - debug: - msg: "oc_cluster_up_first_run = {{ oc_cluster_up_first_run }}, oc_cluster_status.stdout = '{{ oc_cluster_status.stdout }}'" + msg: "Looking at oc cluster up command: '{{ oc_cluster_up_cmd }}'" - name: Ensure {{ persistedvol_mount_point }} directory exists if running in local mode file: @@ -212,9 +199,14 @@ become: true # Intent of this oc cluster up is generate the master-config.yaml so we can make edits to it + - name: Run oc cluster up to generate master-config.yaml + shell: "{{ oc_cluster_up_cmd }}" + when: generate_config + + # Shut down cluster and use the generated master-config.yaml so we can make edits to it - name: Run oc cluster down shell: "{{ oc_cmd }} cluster down" - when: (oc_cluster_up_first_run and not master_config_stat.stat.exists) or ssl_changed is defined + when: generate_config - name: Copy credentials into host dir copy: @@ -224,7 +216,7 @@ owner: root group: root mode: 0644 - when: use_ssl == True + when: generate_config and use_ssl == True - name: Copy credentials into host dir copy: @@ -234,122 +226,26 @@ owner: root group: root mode: 0644 - when: use_ssl == True - - - name: Copy credentials into host dir - copy: - remote_src: True - src: /tmp/apiserver-fullchain.pem - dest: "{{ oc_host_config_dir }}/apiserver-fullchain.pem" - owner: root - group: root - mode: 0644 - when: use_ssl == True - - - name: Copy credentials into host dir - copy: - remote_src: True - src: /tmp/apiserver-privkey.pem - dest: "{{ oc_host_config_dir }}/apiserver-privkey.pem" - owner: root - group: root - mode: 0644 - when: use_ssl == True + when: generate_config and use_ssl == True - - name: Add extension script to oc config to talk to svc catalog - template: - src: extension.j2 - dest: "{{ oc_host_config_dir }}/extension.js" - mode: 0644 - register: extension_script_result - become: 'true' - - - name: Edit master-config to allow extension scripts - lineinfile: - dest: "{{ oc_host_config_dir }}/master/master-config.yaml" - regexp: "extensionDevelopment:" - line: " extensionDevelopment: true" - become: 'true' - - - name: Add extension script to assetConfig - lineinfile: - dest: "{{ oc_host_config_dir }}/master/master-config.yaml" - insertafter: "extensionScripts: null" - line: " - /var/lib/origin/openshift.local.config/extension.js" - become: 'true' - - - name: Edit master-config to add extension script - lineinfile: - dest: "{{ oc_host_config_dir }}/master/master-config.yaml" - regexp: "extensionScripts: null" - line: " extensionScripts:" - become: 'true' - - - name: Add SSL cert to namedCertificates - lineinfile: - dest: "{{ oc_host_config_dir }}/master/master-config.yaml" - insertafter: "namedCertificates: null" - line: " - certFile: {{ oc_host_config_dir }}/console-fullchain.pem" - when: use_ssl == True - become: 'true' - - - name: Add SSL cert to namedCertificates - lineinfile: - dest: "{{ oc_host_config_dir }}/master/master-config.yaml" - insertafter: "certFile: {{ oc_host_config_dir }}/console-fullchain.pem" - line: " keyFile: {{ oc_host_config_dir }}/console-privkey.pem" - when: use_ssl == True - become: 'true' - - - name: Add SSL cert to namedCertificates - lineinfile: - dest: "{{ oc_host_config_dir }}/master/master-config.yaml" - insertafter: "keyFile: {{ oc_host_config_dir }}/console-privkey.pem" - line: " names:" - when: use_ssl == True - become: 'true' - - - name: Add SSL cert to namedCertificates - lineinfile: - dest: "{{ oc_host_config_dir }}/master/master-config.yaml" - insertafter: "names:" - line: " - \"apiserver-service-catalog.{{ openshift_routing_suffix }}\"" - when: use_ssl == True - become: 'true' - - - name: Add SSL cert to namedCertificates - lineinfile: - dest: "{{ oc_host_config_dir }}/master/master-config.yaml" - insertafter: "names:" - line: " - \"{{ openshift_hostname }}\"" - when: use_ssl == True - become: 'true' - - - name: Edit master-config to allow SSL cert + - name: Edit master-config servingInfo.namedCertificates to use SSL lineinfile: dest: "{{ oc_host_config_dir }}/master/master-config.yaml" regexp: "namedCertificates: null" - line: " namedCertificates:" - when: use_ssl == True - become: 'true' - - - name: Edit master-config to turn on PodPreset - lineinfile: - dest: "{{ oc_host_config_dir }}/master/master-config.yaml" - insertbefore: "openshift.io/ImagePolicy:" - line: " PodPreset:\n configuration:\n kind: DefaultAdmissionConfig\n apiVersion: v1\n disable: false" + line: " namedCertificates:\n - certFile: /var/lib/origin/openshift.local.config/console-fullchain.pem\n keyFile: /var/lib/origin/openshift.local.config/console-privkey.pem\n names:\n - \"{{ openshift_hostname }}\"\n" + when: generate_config and use_ssl == True become: 'true' - name: Update oc cluster up command to use --use-existing-config set_fact: oc_cluster_up_cmd: "{{ oc_cluster_up_cmd }} --use-existing-config" + when: use_custom_config - debug: msg: "Looking at oc cluster up command: '{{ oc_cluster_up_cmd }}'" - - name: Run oc cluster up + - name: Run oc cluster up to start the cluster shell: "{{ oc_cluster_up_cmd }}" - when: oc_cluster_up_first_run register: oc_cluster_up # # Add permissions to desired openshift user @@ -368,10 +264,6 @@ shell: "{{ oc_cmd }} adm policy add-cluster-role-to-user cluster-admin {{ cluster_user }}" when: oc_cluster_up.changed - - name: Add cluster-admin role to {{ service_catalog_user }} - shell: "{{ oc_cmd }} adm policy add-cluster-role-to-user cluster-admin {{ service_catalog_user }}" - when: oc_cluster_up.changed - - name: Add privileged scc to {{ cluster_user }} shell: "{{ oc_cmd }} adm policy add-scc-to-user privileged {{ cluster_user }}" when: oc_cluster_up.changed diff --git a/ansible/roles/openshift_setup/templates/extension.j2 b/ansible/roles/openshift_setup/templates/extension.j2 deleted file mode 100644 index b9ec9e8..0000000 --- a/ansible/roles/openshift_setup/templates/extension.j2 +++ /dev/null @@ -1,12 +0,0 @@ -window.OPENSHIFT_CONSTANTS.ENABLE_TECH_PREVIEW_FEATURE = { - // Enable the new landing page and service catalog experience - service_catalog_landing_page: true, - // Set to `true` when the template service broker is enabled for the cluster in master-config.yaml - template_service_broker: false, - pod_presets: true -}; - -window.OPENSHIFT_CONFIG.additionalServers = [{ - hostPort: "apiserver-service-catalog.{{ openshift_routing_suffix }}", - prefix: "/apis" -}]; diff --git a/ansible/roles/ssl_setup/tasks/main.yml b/ansible/roles/ssl_setup/tasks/main.yml index 01ffa10..3f1a932 100644 --- a/ansible/roles/ssl_setup/tasks/main.yml +++ b/ansible/roles/ssl_setup/tasks/main.yml @@ -40,22 +40,6 @@ auth when: certsLocal.stat.exists == False and certsRemote.stat.isdir is not defined - - name: Run letsencrypt script for apiserver - shell: > - {{ go_path }}/src/github.com/letsencrypt/letsencrypt/letsencrypt-auto - --renew-by-default - -a standalone - --webroot-path - /tmp/letsencrypt/ - --server https://acme-v01.api.letsencrypt.org/directory - --email {{ email_address }} - --text - {{ "--test-cert" if use_test_cert else "" }} - --agree-tos - -d apiserver-service-catalog.{{ openshift_hostname }} - auth - when: certsLocal.stat.exists == False and certsRemote.stat.isdir is not defined - - name: Store SSL certs locally for future instances fetch: src: /etc/letsencrypt/archive/{{ openshift_hostname }}/fullchain1.pem @@ -70,20 +54,6 @@ flat: yes when: certsLocal.stat.exists == False - - name: Store SSL certs locally for future instances - fetch: - src: /etc/letsencrypt/archive/apiserver-service-catalog.{{ openshift_hostname }}/fullchain1.pem - dest: certs/{{ openshift_hostname }}-apiserver-cert.pem - flat: yes - when: certsLocal.stat.exists == False - - - name: Store SSL certs locally for future instances - fetch: - src: /etc/letsencrypt/archive/apiserver-service-catalog.{{ openshift_hostname }}/privkey1.pem - dest: certs/{{ openshift_hostname }}-apiserver-key.pem - flat: yes - when: certsLocal.stat.exists == False - - name: Copy credentials into /tmp copy: src: certs/{{ openshift_hostname }}-console-cert.pem @@ -99,19 +69,3 @@ owner: root group: root mode: 0644 - - - name: Copy credentials into /tmp - copy: - src: certs/{{ openshift_hostname }}-apiserver-cert.pem - dest: /tmp/apiserver-fullchain.pem - owner: root - group: root - mode: 0644 - - - name: Copy credentials into /tmp - copy: - src: certs/{{ openshift_hostname }}-apiserver-key.pem - dest: /tmp/apiserver-privkey.pem - owner: root - group: root - mode: 0644 diff --git a/ansible/setup_environment.yml b/ansible/setup_environment.yml index eb59923..18ac534 100644 --- a/ansible/setup_environment.yml +++ b/ansible/setup_environment.yml @@ -38,7 +38,6 @@ - { role: ssl_setup, when: use_ssl == True } - openshift_setup - env_hacks - - service_catalog_setup - ansible_service_broker_setup - demo_prep post_tasks: @@ -49,13 +48,11 @@ SSH Key Name: {{ ssh_key_name }} Region: {{ aws_region }} Next steps: - 1) Visit https://apiserver-service-catalog.{{ openshift_routing_suffix }} - 2) Accept the certificate - 3) Visit https://{{ openshift_hostname }}:8443 for the console - 4) Provision a RDS APB into awsdemo project - 5) Add to the aws-demo project a Python 3.5 project based off of https://github.com/thesteve0/awsdemo.git - 6) Click on the python project and select creating binding to the RDS APB - 7) Redeploy the python project + 1) Visit https://{{ openshift_hostname }}:8443 for the console + 2) Provision a RDS APB into awsdemo project + 3) Add to the aws-demo project a Python 3.5 project based off of https://github.com/thesteve0/awsdemo.git + 4) Click on the python project and select creating binding to the RDS APB + 5) Redeploy the python project OR For CLI access: oc login --insecure-skip-tls-verify {{ openshift_hostname }}:8443 -u {{ cluster_user }} -p {{ cluster_user_password }} diff --git a/ansible/setup_local_environment.yml b/ansible/setup_local_environment.yml index ef259bc..8fe7352 100644 --- a/ansible/setup_local_environment.yml +++ b/ansible/setup_local_environment.yml @@ -15,7 +15,6 @@ roles: - openshift_setup - env_hacks - - service_catalog_setup - ansible_service_broker_setup - { role: local_demo_prep, when: demo } post_tasks: @@ -23,9 +22,7 @@ msg: | Hostname: {{ openshift_hostname }} Next steps: - 1) Visit https://apiserver-service-catalog.{{ openshift_routing_suffix }} - 2) Accept the certificate - 3) Visit https://{{ openshift_hostname }}:8443 for the console + Visit https://{{ openshift_hostname }}:8443 for the web console OR For CLI access: oc login --insecure-skip-tls-verify {{ openshift_hostname }}:8443 -u {{ cluster_user }} -p {{ cluster_user_password }}