diff options
Diffstat (limited to 'ansible')
26 files changed, 196 insertions, 140 deletions
diff --git a/ansible/.gitignore b/ansible/.gitignore index e5505c9e..c1c4d568 100644 --- a/ansible/.gitignore +++ b/ansible/.gitignore @@ -1,3 +1,6 @@ ansible_chroot application/* certs/ + +# Molecule testing +__pycache__/ diff --git a/ansible/application.yml b/ansible/application.yml index bbac7e5c..02c654f2 100644 --- a/ansible/application.yml +++ b/ansible/application.yml @@ -2,22 +2,16 @@ - name: Setup nfs server hosts: nfs-server roles: - - {role: nfs, when: groups.kubernetes | length > 1 } + - role: nfs + when: groups.kubernetes | length > 1 - name: Setup nfs mounts hosts: kubernetes:!nfs-server roles: - - {role: nfs, when: groups.kubernetes | length > 1 } + - role: nfs + when: groups.kubernetes | length > 1 - name: Install Helm application {{ app_name }} into offline Kubernetes cluster hosts: infrastructure roles: - - role: application-install - vars: - phase: pre-install - - role: application-install - vars: - phase: install - - role: application-install - vars: - phase: post-install + - application diff --git a/ansible/group_vars/all.yml b/ansible/group_vars/all.yml index 0d22ac5d..1dc938fd 100755 --- a/ansible/group_vars/all.yml +++ b/ansible/group_vars/all.yml @@ -90,9 +90,10 @@ runtime_images: {} # Application specific params # ############################### -# App Helm charts directory location in installation package. -# The path is absolute path (even locates relative inside of this sw package -# installation folder) because it must be visible for ansible docker/chroot +# App Helm charts directory location in installation package +# (local path for the ansible process). +# The path locates relative inside of this sw package +# installation folder and must be visible for ansible docker/chroot # process to find directory and to transfer it into machine (infra node) running # Helm repository. # Content of the folder must be Helm chart directories of the app with Makefile. @@ -100,7 +101,7 @@ runtime_images: {} # NOTE: This default value should not be changed if not really needed and it # must match with the variable "HELM_CHARTS_DIR_IN_PACKAGE" value in package.sh # script! -app_helm_charts_install_directory: "/ansible/application/helm_charts" +app_helm_charts_install_directory: application/helm_charts # Specify target dir where helm charts are copied into on infra node. # (same as content of "app_helm_charts_install_directory" copied by installer to this dir.) diff --git a/ansible/group_vars/infrastructure.yml b/ansible/group_vars/infrastructure.yml index f0c4113e..a248a514 100755 --- a/ansible/group_vars/infrastructure.yml +++ b/ansible/group_vars/infrastructure.yml @@ -27,5 +27,3 @@ all_simulated_hosts: rancher_server_version: v1.6.22 populate_nexus: false helm_bin_dir: /usr/local/bin -helm_repository_name: local -helm_repository_url: http://127.0.0.1:8879 diff --git a/ansible/infrastructure.yml b/ansible/infrastructure.yml index 83e185fe..18290ae4 100644 --- a/ansible/infrastructure.yml +++ b/ansible/infrastructure.yml @@ -20,6 +20,8 @@ roles: - docker tasks: - - import_tasks: roles/certificates/tasks/upload_root_ca.yml + - include_role: + name: certificates + tasks_from: upload_root_ca.yml vars: certificates_local_dir: certs diff --git a/ansible/roles/application-install/defaults/main.yml b/ansible/roles/application-install/defaults/main.yml deleted file mode 100644 index 473fbb80..00000000 --- a/ansible/roles/application-install/defaults/main.yml +++ /dev/null @@ -1 +0,0 @@ -phase: install diff --git a/ansible/roles/application-install/tasks/install.yml b/ansible/roles/application-install/tasks/install.yml deleted file mode 100644 index d2134d30..00000000 --- a/ansible/roles/application-install/tasks/install.yml +++ /dev/null @@ -1,68 +0,0 @@ ---- -- name: Helm init and upgrade - command: | - {{ helm_bin_dir }}/helm init - --upgrade - --skip-refresh - -#A correct way to implement this would be using --wait option in helm init invocation. -#However, it does not work due to https://github.com/helm/helm/issues/4031 (fixed in newer helm release) -- name: "Wait for helm upgrade to finish" - command: "{{ helm_bin_dir }}/helm version --tiller-connection-timeout 10" - register: result - until: result.rc == 0 - delay: 10 - retries: 12 - -- name: Get all helm repos - command: "{{ helm_bin_dir }}/helm repo list" - register: repos - -- name: Remove stable repo - command: "{{ helm_bin_dir }}/helm repo remove stable" - when: "'stable' in repos.stdout" - -- name: Helm Serve - shell: "{{ helm_bin_dir }}/helm serve &" - async: 45 - poll: 0 - -- name: Helm Add Repo - command: "{{ helm_bin_dir }}/helm repo add {{ helm_repository_name }} {{ helm_repository_url }}" - -- name: Build local helm repository - make: - chdir: "{{ app_helm_charts_infra_directory }}" - target: "{{ item }}" - with_items: "{{ app_helm_build_targets }}" - environment: - PATH: "{{ helm_bin_dir }}:{{ ansible_env.PATH }}" - -- name: Register root certificate - slurp: - src: "{{ playbook_dir }}/certs/rootCA.crt" - register: root_cert - delegate_to: localhost - -# WA: this is required because deploy plugin dont process params properly -- name: Create override file with global.cacert - copy: - dest: "{{ app_data_path}}/override.yaml" - content: | - global: - cacert: | - {{ root_cert['content'] | b64decode | indent( width=4, indentfirst=False) }} - -- name: Check for deploy plugin presence - stat: - path: '{{ helm_home_dir.stdout }}/plugins/deploy/deploy.sh' - register: deploy_plugin_presence - -- name: "Helm Install application {{ app_name }}" - command: > - {{ helm_bin_dir }}/helm - {{ 'deploy' if deploy_plugin_presence.stat.exists else 'install --name' }} - {{ app_helm_release_name }} - {{ helm_repository_name }}/{{ app_helm_chart_name }} - --namespace {{ app_kubernetes_namespace }} - -f {{ app_data_path }}/override.yaml diff --git a/ansible/roles/application-install/tasks/main.yml b/ansible/roles/application-install/tasks/main.yml deleted file mode 100644 index ba522792..00000000 --- a/ansible/roles/application-install/tasks/main.yml +++ /dev/null @@ -1,22 +0,0 @@ ---- -- debug: - msg: "phase is {{ phase }}" - -- name: Check if install needed - block: - - name: "Does {{ app_helm_charts_install_directory }} exist and contain Helm Charts" - find: - paths: "{{ app_helm_charts_install_directory }}" - recurse: yes - delegate_to: localhost - register: charts_files - - name: Set install active fact - set_fact: - install_needed: "{{ true if charts_files.matched | int > 0 else false }}" - when: phase == "pre-install" - -- include_tasks: "{{ phase }}.yml" - when: install_needed - -- debug: - msg: "Install needed {{ install_needed }}" diff --git a/ansible/roles/application-override/tasks/main.yml b/ansible/roles/application-override/tasks/main.yml new file mode 100644 index 00000000..1ecf7c79 --- /dev/null +++ b/ansible/roles/application-override/tasks/main.yml @@ -0,0 +1,16 @@ +--- +# Role for generating Helm override.yml file +- name: Register root certificate + slurp: + src: "{{ playbook_dir }}/certs/rootCA.crt" + register: root_cert + delegate_to: localhost + +- name: "Set root ca certificate" + set_fact: + merged_overrides: "{{ overrides | default({}) | combine({'global': {'cacert': root_cert.content | b64decode}}, recursive=True) }}" + +- name: "Create {{ app_helm_override_file }}" + copy: + dest: "{{ app_helm_override_file }}" + content: "{{ merged_overrides | to_nice_yaml }}" diff --git a/ansible/roles/application/defaults/main.yml b/ansible/roles/application/defaults/main.yml new file mode 100644 index 00000000..dec17601 --- /dev/null +++ b/ansible/roles/application/defaults/main.yml @@ -0,0 +1,11 @@ +--- +helm_repository_name: local +helm_repository_url: http://127.0.0.1:8879 +# Override file generation for Helm application can be customized by any role +# given by user and found by ansible from roles_path. +# By default override file is generated by 'application-override' role that is +# specific for offline installer (for onap) as it's generating server +# certificate needed to simulate internet by offline installer. +app_skip_helm_override: false +app_helm_override_role: application-override +app_helm_override_file: "{{ app_data_path }}/override.yaml" diff --git a/ansible/roles/application-install/tasks/custom_role.yml b/ansible/roles/application/tasks/custom_role.yml index 3c6237e3..f0b9a84f 100644 --- a/ansible/roles/application-install/tasks/custom_role.yml +++ b/ansible/roles/application/tasks/custom_role.yml @@ -1,9 +1,8 @@ --- # Caller fills application_custom_role variable with actual role name. -- name: "Execute custom role {{ application_custom_role }} {{ phase }} Helm install." +- name: "Execute custom role {{ application_custom_role }} for Helm install." include_role: name: "{{ application_custom_role }}" when: - application_custom_role is defined - application_custom_role is not none - - application_custom_role | trim != '' diff --git a/ansible/roles/application/tasks/install.yml b/ansible/roles/application/tasks/install.yml new file mode 100644 index 00000000..103ecc8b --- /dev/null +++ b/ansible/roles/application/tasks/install.yml @@ -0,0 +1,77 @@ +--- +- name: Helm init and upgrade + command: | + {{ helm_bin_dir }}/helm init + --upgrade + --skip-refresh + changed_when: true # init is always changed type of action + +# A correct way to implement this would be using --wait option in helm init invocation. +# However, it does not work due to https://github.com/helm/helm/issues/4031 (fixed in newer helm release) +- name: "Wait for helm upgrade to finish" + command: "{{ helm_bin_dir }}/helm version --tiller-connection-timeout 10" + register: result + until: result.rc == 0 + delay: 10 + retries: 12 + changed_when: false # for idempotency + +- name: Get all helm repos + command: "{{ helm_bin_dir }}/helm repo list" + register: repos + changed_when: false # for idempotency + +- name: Remove stable repo + command: "{{ helm_bin_dir }}/helm repo remove stable" + changed_when: true # when executed its a changed type of action + when: "'stable' in repos.stdout" + +- name: Helm Serve + shell: "{{ helm_bin_dir }}/helm serve &" + async: 45 + poll: 3 # wait 3sec to get a chance for some stderr + register: helm_serve + changed_when: "'address already in use' not in helm_serve.stderr" + +- name: List helm repos + command: "{{ helm_bin_dir }}/helm repo list" + register: helm_repo_list + changed_when: false # for idempotency + failed_when: + - helm_repo_list.rc > 0 + - "'Error: no repositories to show' not in helm_repo_list.stderr" + +- name: Helm Add Repo + command: "{{ helm_bin_dir }}/helm repo add {{ helm_repository_name | mandatory }} {{ helm_repository_url | mandatory }}" + when: "'local' not in helm_repo_list.stdout" + changed_when: true # when executed its a changed type of action + +- name: Build local helm repository + make: + chdir: "{{ app_helm_charts_infra_directory }}" + target: "{{ item }}" + loop: "{{ app_helm_build_targets }}" + environment: + PATH: "{{ helm_bin_dir }}:{{ ansible_env.PATH }}" + +- name: Generate Helm application override file with custom role + include_role: + name: "{{ app_helm_override_role }}" + when: not app_skip_helm_override + +- name: Check for deploy plugin presence + stat: + path: '{{ helm_home_dir.stdout }}/plugins/deploy/deploy.sh' + register: deploy_plugin_presence + +- name: "Helm Install application {{ app_name }}" + command: > + {{ helm_bin_dir }}/helm + {{ 'deploy' if deploy_plugin_presence.stat.exists else 'install --name' }} + {{ app_helm_release_name }} + {{ helm_repository_name }}/{{ app_helm_chart_name }} + --namespace {{ app_kubernetes_namespace }} + {{ '' if app_skip_helm_override else '-f ' + app_helm_override_file }} + changed_when: true # when executed its a changed type of action + register: helm_install + failed_when: helm_install.stderr diff --git a/ansible/roles/application/tasks/main.yml b/ansible/roles/application/tasks/main.yml new file mode 100644 index 00000000..3018e95f --- /dev/null +++ b/ansible/roles/application/tasks/main.yml @@ -0,0 +1,24 @@ +--- +- name: Check if application Helm charts exist and install is even needed + block: + - name: "Does {{ app_helm_charts_install_directory }} directory exist and contain Helm Charts" + find: + paths: "{{ app_helm_charts_install_directory }}" + recurse: true + delegate_to: localhost + register: charts_files + - name: Set install active fact + set_fact: + install_needed: "{{ true if charts_files.matched | int > 0 else false }}" + +- name: Install app with Helm charts + block: + - include_tasks: transfer-helm-charts.yml + - include_tasks: pre-install.yml + - include_tasks: install.yml + - include_tasks: post-install.yml + when: install_needed + +- debug: + msg: "NOTE, nothing done as application Helm charts does not exist!" + when: not install_needed diff --git a/ansible/roles/application-install/tasks/post-install.yml b/ansible/roles/application/tasks/post-install.yml index 10594233..5464cb46 100644 --- a/ansible/roles/application-install/tasks/post-install.yml +++ b/ansible/roles/application/tasks/post-install.yml @@ -2,4 +2,4 @@ - name: "Execute custome role {{ application_post_install_role }} if defined." include_tasks: custom_role.yml vars: - application_custom_role: "{{ application_post_install_role }}" + application_custom_role: "{{ application_post_install_role | default('') }}" diff --git a/ansible/roles/application/tasks/pre-install.yml b/ansible/roles/application/tasks/pre-install.yml new file mode 100644 index 00000000..74f1548f --- /dev/null +++ b/ansible/roles/application/tasks/pre-install.yml @@ -0,0 +1,5 @@ +--- +- name: "Execute custom role {{ application_pre_install_role }} if defined." + include_tasks: custom_role.yml + vars: + application_custom_role: "{{ application_pre_install_role | default('') }}" diff --git a/ansible/roles/application-install/tasks/pre-install.yml b/ansible/roles/application/tasks/transfer-helm-charts.yml index bf6619b0..0cd7c02f 100644 --- a/ansible/roles/application-install/tasks/pre-install.yml +++ b/ansible/roles/application/tasks/transfer-helm-charts.yml @@ -38,14 +38,7 @@ copy: src: "{{ item.path }}" dest: "{{ helm_home_dir.stdout }}/plugins" - directory_mode: yes + directory_mode: true mode: 0755 with_items: "{{ list_of_plugins.files }}" - become: true when: app_helm_plugins_directory is defined and app_helm_plugins_directory is not none - -- name: "Execute custom role {{ application_pre_install_role }} if defined." - include_tasks: custom_role.yml - vars: - application_custom_role: "{{ application_pre_install_role }}" - diff --git a/ansible/roles/certificates/handlers/main.yml b/ansible/roles/certificates/handlers/main.yml new file mode 100644 index 00000000..b2b81223 --- /dev/null +++ b/ansible/roles/certificates/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Extract root certificate + command: /usr/bin/update-ca-trust extract + changed_when: true # this handler is executed just when there is a new cert + notify: Restart Docker diff --git a/ansible/roles/certificates/tasks/upload_root_ca.yml b/ansible/roles/certificates/tasks/upload_root_ca.yml index b2f1f945..b918187d 100644 --- a/ansible/roles/certificates/tasks/upload_root_ca.yml +++ b/ansible/roles/certificates/tasks/upload_root_ca.yml @@ -3,10 +3,5 @@ copy: src: "{{ certificates_local_dir }}/rootCA.crt" dest: /etc/pki/ca-trust/source/anchors/ - register: copycert - notify: Restart Docker - -- name: Extract root certificate - command: /usr/bin/update-ca-trust extract - when: copycert.changed - notify: Restart Docker + notify: # handler is triggered just when file is changed + - Extract root certificate diff --git a/ansible/roles/docker/tasks/main.yml b/ansible/roles/docker/tasks/main.yml index 16b7002f..de740df2 100644 --- a/ansible/roles/docker/tasks/main.yml +++ b/ansible/roles/docker/tasks/main.yml @@ -11,6 +11,11 @@ name: 'python2-docker' state: present +- name: Install python jsonpointer module + package: + name: 'python-jsonpointer' + state: present + - name: Ensure /etc/docker exists file: path: /etc/docker diff --git a/ansible/roles/firewall/tasks/firewall-disable.yml b/ansible/roles/firewall/tasks/firewall-disable.yml index f406d943..5f1ab537 100644 --- a/ansible/roles/firewall/tasks/firewall-disable.yml +++ b/ansible/roles/firewall/tasks/firewall-disable.yml @@ -13,3 +13,4 @@ - name: Flush iptables iptables: flush: true + changed_when: false # for idempotence diff --git a/ansible/roles/nexus/tasks/insert-images.yml b/ansible/roles/nexus/tasks/insert-images.yml index f71d6990..6c283330 100644 --- a/ansible/roles/nexus/tasks/insert-images.yml +++ b/ansible/roles/nexus/tasks/insert-images.yml @@ -1,7 +1,8 @@ --- - name: Load docker images and push into registry block: - - set_fact: + - name: Register component name for docker login/load + set_fact: component: "{{ (item.path | basename | splitext)[0] }}" - name: Docker login diff --git a/ansible/roles/nginx/templates/nginx.conf.j2 b/ansible/roles/nginx/templates/nginx.conf.j2 index ff9d2a9c..9860a168 100644 --- a/ansible/roles/nginx/templates/nginx.conf.j2 +++ b/ansible/roles/nginx/templates/nginx.conf.j2 @@ -5,6 +5,7 @@ events { } http { + server_names_hash_bucket_size 64; error_log /var/log/nginx/error.log debug; access_log /var/log/nginx/access.log; diff --git a/ansible/roles/resource-data/tasks/main.yml b/ansible/roles/resource-data/tasks/main.yml index 41046d81..023a160e 100644 --- a/ansible/roles/resource-data/tasks/main.yml +++ b/ansible/roles/resource-data/tasks/main.yml @@ -3,23 +3,34 @@ block: - name: Check if source dir and files are present stat: - path: "{{ item.source }}" + path: "{{ item.source_dir }}/{{ item.source_filename }}" get_checksum: false loop: - - { source: "{{ resources_dir }}/{{ resources_filename | default('thisdoesnotexists', true) }}", - target: "{{ app_data_path }}/{{ resources_filename | default('thisdoesnotexists', true) }}" } - - { source: "{{ resources_dir }}/{{ aux_resources_filename | default('thisdoesnotexists', true) }}", - target: "{{ aux_data_path }}/{{ aux_resources_filename | default('thisdoesnotexists', true) }}" } + - { source_dir: "{{ resources_dir | default('', true) }}", + source_filename: "{{ resources_filename | default('', true) }}", + target_dir: "{{ app_data_path | default('', true) }}", + target_filename: "{{ resources_filename | default('', true) }}" } + + - { source_dir: "{{ resources_dir | default('', true) }}", + source_filename: "{{ aux_resources_filename | default('', true) }}", + target_dir: "{{ aux_data_path | default('', true) }}", + target_filename: "{{ aux_resources_filename | default('', true) }}" } register: source_path + when: + - item.source_dir | length > 0 + - item.source_filename | length > 0 + - item.target_dir | length > 0 + - item.target_filename | length > 0 - name: Create initial resources list of dicts set_fact: to_be_uploaded_resources_list: "{{ to_be_uploaded_resources_list | default([]) + [ - {'file': item.item.target | basename, - 'destination_dir': item.item.target | dirname } ] }}" + {'file': item.item.target_filename, + 'destination_dir': item.item.target_dir } ] }}" loop: "{{ source_path.results }}" - when: item.stat.exists + when: item.stat is defined + failed_when: not item.stat.exists when: inventory_hostname in groups.resources - name: "Upload resource files {{ hostvars[groups.resources.0].to_be_uploaded_resources_list }} to infrastructure" diff --git a/ansible/roles/resource-data/tasks/unarchive-nfs-resource.yml b/ansible/roles/resource-data/tasks/unarchive-nfs-resource.yml index 9f9d92d0..bbf99321 100644 --- a/ansible/roles/resource-data/tasks/unarchive-nfs-resource.yml +++ b/ansible/roles/resource-data/tasks/unarchive-nfs-resource.yml @@ -16,7 +16,8 @@ fstype: nfs state: mounted - - name: "Unarchive resource {{ resources_dir }}/{{ resource_source_filename }} to {{ resource_destination_directory }} dir on infrastructure servers over nfs" + - name: "Unarchive resource {{ resources_dir }}/{{ resource_source_filename }} \ + to {{ resource_destination_directory }} dir on infrastructure servers over nfs" unarchive: src: "/tmp/resource_data/{{ resource_source_filename }}" dest: "{{ resource_destination_directory }}" diff --git a/ansible/roles/resource-data/tasks/unarchive-resource.yml b/ansible/roles/resource-data/tasks/unarchive-resource.yml index 79fdbfce..9097ddc8 100644 --- a/ansible/roles/resource-data/tasks/unarchive-resource.yml +++ b/ansible/roles/resource-data/tasks/unarchive-resource.yml @@ -34,7 +34,9 @@ - name: "Unarchive resource {{ resource_source_filename }} from host {{ resources_source_host }}, transport is {{ transport }}" include_tasks: "unarchive-{{ transport }}-resource.yml" - - file: + + - name: "Generate flag file after resources are deployed on infra" + file: path: "{{ resource_destination_directory }}/{{ resource_source_filename }}-uploaded" state: touch rescue: @@ -51,5 +53,6 @@ with_items: "{{ files_after_fail.files | difference(original_files.files) }}" when: files_after_fail is defined - - fail: + - name: "Report failure of upload operation" + fail: msg: "Upload of {{ resource_source_filename }} failed" diff --git a/ansible/roles/resource-data/tasks/unarchive-ssh-resource.yml b/ansible/roles/resource-data/tasks/unarchive-ssh-resource.yml index 1385ba55..bd578ae3 100644 --- a/ansible/roles/resource-data/tasks/unarchive-ssh-resource.yml +++ b/ansible/roles/resource-data/tasks/unarchive-ssh-resource.yml @@ -29,7 +29,8 @@ set_fact: tar_extract_options: "{{ '-xzf' if compressed.rc == 0 else '-xf' }}" - - name: "Unarchive resource {{ resources_dir }}/{{ resource_source_filename }} to {{ resource_destination_directory }} dir on infrastructure servers over ssh" + - name: "Unarchive resource {{ resources_dir }}/{{ resource_source_filename }} \ + to {{ resource_destination_directory }} dir on infrastructure servers over ssh" shell: > ssh -o StrictHostKeyChecking=no -o BatchMode=yes -i /root/.ssh/infra_to_resource.privkey |