diff options
Diffstat (limited to 'ansible/roles')
| -rw-r--r-- | ansible/roles/certificates/tasks/main.yml | 100 | ||||
| -rw-r--r-- | ansible/roles/certificates/tasks/upload_root_ca.yml | 10 | ||||
| -rw-r--r-- | ansible/roles/certificates/templates/v3.ext.j2 | 9 | ||||
| -rw-r--r-- | ansible/roles/kubectl/tasks/main.yml | 7 | ||||
| -rw-r--r-- | ansible/roles/nfs/defaults/main.yml | 5 | ||||
| -rw-r--r-- | ansible/roles/nfs/tasks/main.yml | 33 | ||||
| -rw-r--r-- | ansible/roles/nfs/templates/exports.j2 | 3 | ||||
| -rw-r--r-- | ansible/roles/rancher/tasks/main.yml | 2 | ||||
| -rw-r--r-- | ansible/roles/rancher/tasks/rancher_agent.yml | 13 | ||||
| -rw-r--r-- | ansible/roles/rancher/tasks/rancher_server.yml | 51 | ||||
| -rw-r--r-- | ansible/roles/rancher/templates/kube_config.j2 | 19 |
11 files changed, 252 insertions, 0 deletions
diff --git a/ansible/roles/certificates/tasks/main.yml b/ansible/roles/certificates/tasks/main.yml new file mode 100644 index 00000000..2e7dd88a --- /dev/null +++ b/ansible/roles/certificates/tasks/main.yml @@ -0,0 +1,100 @@ +--- +# Some of task are delegated to Ansible container because unavailable +# version of python-pyOpenSSL +- name: Generate root CA private key + openssl_privatekey: + path: /certs/rootCA.key + size: 4096 + delegate_to: localhost + +- name: Generate an OpenSSL CSR. + openssl_csr: + path: /certs/rootCA.csr + privatekey_path: /certs/rootCA.key + organization_name: "{{ certificates.organization_name }}" + state_or_province_name: "{{ certificates.state_or_province_name }}" + country_name: "{{ certificates.country_name }}" + locality_name: "{{ certificates.locality_name }}" + basic_constraints: + - CA:true + basic_constraints_critical: yes + key_usage: + - critical + - digitalSignature + - cRLSign + - keyCertSign + delegate_to: localhost + +- name: Generate root CA certificate + openssl_certificate: + provider: selfsigned + path: /certs/rootCA.crt + csr_path: /certs/rootCA.csr + privatekey_path: /certs/rootCA.key + key_usage: + - critical + - digitalSignature + - cRLSign + - keyCertSign + force: yes + delegate_to: localhost + notify: Restart Docker + +- name: Generate private Nexus key + openssl_privatekey: + path: /certs/nexus_server.key + size: 4096 + force: False + delegate_to: localhost + +- name: Generate Nexus CSR (certificate signing request) + openssl_csr: + path: /certs/nexus_server.csr + privatekey_path: /certs/nexus_server.key + organization_name: "{{ certificates.organization_name }}" + state_or_province_name: "{{ certificates.state_or_province_name }}" + country_name: "{{ certificates.country_name }}" + locality_name: "{{ certificates.locality_name }}" + common_name: registry-1.docker.io + key_usage: + - keyAgreement + - nonRepudiation + - digitalSignature + - keyEncipherment + - dataEncipherment + extended_key_usage: + - serverAuth + subject_alt_name: + "{{ simulated_hosts | map('regex_replace', '(.*)', 'DNS:\\1') | list }}" + delegate_to: localhost + +- name: Generate v3 extension config file + template: + src: v3.ext.j2 + dest: /certs/v3.ext + delegate_to: localhost + +# Signing certificate is added to Ansible in version 2.7 (release date 04.10.2018) +# Currently using 2.6.3 +- name: Sign Nexus certificate + command: > + openssl + x509 + -req + -in /certs/nexus_server.csr + -extfile /certs/v3.ext + -CA /certs/rootCA.crt + -CAkey /certs/rootCA.key + -CAcreateserial + -out /certs/nexus_server.crt + -days 3650 + -sha256 + delegate_to: localhost + +- name: Upload certificates to infrastructure server + copy: + src: /certs + directory_mode: yes + dest: "{{ app_data_path }}/" + +- import_tasks: upload_root_ca.yml diff --git a/ansible/roles/certificates/tasks/upload_root_ca.yml b/ansible/roles/certificates/tasks/upload_root_ca.yml new file mode 100644 index 00000000..5a59d27b --- /dev/null +++ b/ansible/roles/certificates/tasks/upload_root_ca.yml @@ -0,0 +1,10 @@ +--- +- name: Copy root certificate + copy: + src: "/certs/rootCA.crt" + dest: /etc/pki/ca-trust/source/anchors/ + notify: Restart Docker + +- name: Extract root certificate + command: /usr/bin/update-ca-trust extract + notify: Restart Docker diff --git a/ansible/roles/certificates/templates/v3.ext.j2 b/ansible/roles/certificates/templates/v3.ext.j2 new file mode 100644 index 00000000..7be946fd --- /dev/null +++ b/ansible/roles/certificates/templates/v3.ext.j2 @@ -0,0 +1,9 @@ +authorityKeyIdentifier=keyid,issuer +basicConstraints=CA:FALSE +keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment +subjectAltName = @alt_names + +[alt_names] +{% for name in all_simulated_hosts -%} + DNS.{{ loop.index }} = {{ name }} +{% endfor %} diff --git a/ansible/roles/kubectl/tasks/main.yml b/ansible/roles/kubectl/tasks/main.yml new file mode 100644 index 00000000..7c77c3c5 --- /dev/null +++ b/ansible/roles/kubectl/tasks/main.yml @@ -0,0 +1,7 @@ +--- +- name: Install kubectl + copy: + src: "{{ app_data_path }}/downloads/kubectl" + dest: "{{ kubectl_bin_dir }}/kubectl" + remote_src: true + mode: 0755 diff --git a/ansible/roles/nfs/defaults/main.yml b/ansible/roles/nfs/defaults/main.yml new file mode 100644 index 00000000..a5e1d2a5 --- /dev/null +++ b/ansible/roles/nfs/defaults/main.yml @@ -0,0 +1,5 @@ +--- +nfs_services: + RedHat: + - rpcbind + - nfs diff --git a/ansible/roles/nfs/tasks/main.yml b/ansible/roles/nfs/tasks/main.yml new file mode 100644 index 00000000..32194d13 --- /dev/null +++ b/ansible/roles/nfs/tasks/main.yml @@ -0,0 +1,33 @@ +--- +- name: Create nfs directory + file: + path: "{{ nfs_mount_path }}" + state: directory + mode: 0777 + +- name: Setup nfs server + block: + - name: Start services + systemd: + name: "{{ item }}" + state: started + with_items: "{{ nfs_services[ansible_os_family] }}" + + - name: Add hosts to exports + template: + src: exports.j2 + dest: /etc/exports + + - name: Export nfs + command: exportfs -ar + when: + - "'nfs-server' in group_names" + +- name: Mount dockerdata-nfs + mount: + path: "{{ nfs_mount_path }}" + src: "{{ hostvars[groups['nfs-server'].0].ansible_host }}:{{ nfs_mount_path }}" + fstype: nfs + state: mounted + when: + - "'nfs-server' not in group_names" diff --git a/ansible/roles/nfs/templates/exports.j2 b/ansible/roles/nfs/templates/exports.j2 new file mode 100644 index 00000000..1f6956c2 --- /dev/null +++ b/ansible/roles/nfs/templates/exports.j2 @@ -0,0 +1,3 @@ +{% for host in groups.kubernetes[1:] -%} + {{ nfs_mount_path }} {{ hostvars[host].ansible_host }}(rw,sync,no_root_squash,no_subtree_check) +{% endfor %} diff --git a/ansible/roles/rancher/tasks/main.yml b/ansible/roles/rancher/tasks/main.yml new file mode 100644 index 00000000..1370a39f --- /dev/null +++ b/ansible/roles/rancher/tasks/main.yml @@ -0,0 +1,2 @@ +--- +- include_tasks: "rancher_{{ rancher_role }}.yml" diff --git a/ansible/roles/rancher/tasks/rancher_agent.yml b/ansible/roles/rancher/tasks/rancher_agent.yml new file mode 100644 index 00000000..4c9cb8dd --- /dev/null +++ b/ansible/roles/rancher/tasks/rancher_agent.yml @@ -0,0 +1,13 @@ +--- +- name: Add Rancher Agent + docker_container: + name: rancher_agent + image: "{{ server_hostvars.rancher_agent_image }}" + command: "{{ server_hostvars.rancher_agent_reg_url }}" + volumes: + - "/var/run/docker.sock:/var/run/docker.sock" + - "/var/lib/rancher:/var/lib/rancher" + auto_remove: yes + privileged: yes + vars: + server_hostvars: "{{ hostvars[groups.infrastructure.0] }}" diff --git a/ansible/roles/rancher/tasks/rancher_server.yml b/ansible/roles/rancher/tasks/rancher_server.yml new file mode 100644 index 00000000..9abf986b --- /dev/null +++ b/ansible/roles/rancher/tasks/rancher_server.yml @@ -0,0 +1,51 @@ +--- +# DO NOT ADD SPACE AROUND ';' +- name: Start rancher/server:v1.6.14 + docker_container: + name: rancher_server + image: rancher/server:v1.6.14 + command: ["sh", "-c", "/usr/sbin/update-ca-certificates;/usr/bin/entry /usr/bin/s6-svscan /service"] + ports: 8080:8080 + state: started + restart_policy: unless-stopped + volumes: + - "{{ app_data_path }}/certs:/usr/local/share/ca-certificates/extra:ro" + +- name: Wait for rancher server to be ready + uri: + url: "{{ rancher_server_url }}/v2-beta" + register: response + retries: 10 + delay: 30 + until: not response.failed + +- name: Create kubernetes environment + rancher_k8s_environment: + name: "{{ app_name }}" + descr: "Kubernetes environment for {{ app_name }}" + server: "{{ rancher_server_url }}" + delete_other_k8s: "{{ rancher_remove_other_env }}" + force: "{{ rancher_redeploy_k8s_env }}" + host_os: "{{ ansible_os_family }}" + register: env + retries: 10 + delay: 5 + until: env.data is defined + +- name: Set apikey values + set_fact: + k8s_env_id: "{{ env.data.environment.id }}" + key_public: "{{ env.data.apikey.public }}" + key_private: "{{ env.data.apikey.private }}" + rancher_agent_image: "{{ env.data.registration_tokens.image }}" + rancher_agent_reg_url: "{{ env.data.registration_tokens.reg_url }}" + +- name: Ensure .kube directory exists + file: + path: "{{ kube_directory }}" + state: directory + +- name: Create kube config + template: + src: kube_config.j2 + dest: "{{ kube_directory }}/config" diff --git a/ansible/roles/rancher/templates/kube_config.j2 b/ansible/roles/rancher/templates/kube_config.j2 new file mode 100644 index 00000000..87f332e6 --- /dev/null +++ b/ansible/roles/rancher/templates/kube_config.j2 @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Config +clusters: +- cluster: + api-version: v1 + insecure-skip-tls-verify: true + server: "https://{{ ansible_host }}:8080/r/projects/{{ k8s_env_id }}/kubernetes:6443" + name: "{{ app_name }}" +contexts: +- context: + cluster: "{{ app_name }}" + user: "{{ app_name }}" + name: "{{ app_name }}" +current-context: "{{ app_name }}" +users: +- name: "{{ app_name }}" + user: + token: "{{ (['Basic', [key_public, key_private] | join(':') | b64encode] | join(' ')) | b64encode }}" + |