diff options
Diffstat (limited to 'ansible/roles/ansible-vvp-bootstrap/tasks')
| -rwxr-xr-x | ansible/roles/ansible-vvp-bootstrap/tasks/dnsmasq.yml | 103 | ||||
| -rwxr-xr-x | ansible/roles/ansible-vvp-bootstrap/tasks/main.yml | 183 | ||||
| -rwxr-xr-x | ansible/roles/ansible-vvp-bootstrap/tasks/matchbox.yml | 137 | ||||
| -rwxr-xr-x | ansible/roles/ansible-vvp-bootstrap/tasks/tls.yml | 150 |
4 files changed, 573 insertions, 0 deletions
diff --git a/ansible/roles/ansible-vvp-bootstrap/tasks/dnsmasq.yml b/ansible/roles/ansible-vvp-bootstrap/tasks/dnsmasq.yml new file mode 100755 index 0000000..48dad1c --- /dev/null +++ b/ansible/roles/ansible-vvp-bootstrap/tasks/dnsmasq.yml @@ -0,0 +1,103 @@ +# -*- encoding: utf-8 -*- +# ============LICENSE_START======================================================= +# org.onap.vvp/engagementmgr +# =================================================================== +# Copyright © 2017 AT&T Intellectual Property. All rights reserved. +# =================================================================== +# +# Unless otherwise specified, all software contained herein is licensed +# under the Apache License, Version 2.0 (the “License”); +# you may not use this software except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# +# +# Unless otherwise specified, all documentation contained herein is licensed +# under the Creative Commons License, Attribution 4.0 Intl. (the “License”); +# you may not use this documentation except in compliance with the License. +# You may obtain a copy of the License at +# +# https://creativecommons.org/licenses/by/4.0/ +# +# Unless required by applicable law or agreed to in writing, documentation +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# ============LICENSE_END============================================ +# +# ECOMP is a trademark and service mark of AT&T Intellectual Property. +- name: Install nf_conntrack_tftp + modprobe: + name: nf_conntrack_tftp + state: present + +- name: Copy our pxe client + copy: src=iceundionly.kpxe dest="{{files_dir}}/iceundionly.kpxe" + when: pxe_chainload + +- name: Create DNSMASQ leases file + file: path="{{files_dir}}/leases" mode=0644 state=touch + +- name: DROP DNS, tftp requests from public + shell: iptables -I INPUT 1 -p udp --dport {{item}} -i {{ops_public_interface}} -j DROP + with_items: + - 53 + - 69 + +- name: DROP DNS, tftp requests to public + shell: iptables -I OUTPUT 1 -p udp --sport {{item}} -o {{ops_public_interface}} -j DROP + with_items: + - 53 + - 69 + +- name: Allow Inbound UDP DHCP Requests + shell: iptables -A INPUT -p udp --dport {{item}} -j ACCEPT + with_items: + - 53 + - 67:69 + +- name: Allow Outbound UDP DNS, DHCP + shell: iptables -A OUTPUT -p udp --sport {{item}} -j ACCEPT + with_items: + - 53 + - 67:69 + +- name: Allow TFTP file transfers on arbitrary ports. + shell: 'iptables -A OUTPUT -p udp -o {{ ops_management_interface }} --sport 1023: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT' + +- name: Allow TFTP file transfers on arbitrary ports. + shell: 'iptables -A INPUT -p udp -i {{ops_management_interface}} --dport 1023: -m state --state ESTABLISHED,RELATED -j ACCEPT' + +- name: Render DNSMASQ configuration + template: + src: dnsmasq.conf.j2 + dest: "{{files_dir}}/dnsmasq.conf" + +- name: Is dnsmasq already running? + shell: docker ps | grep dnsmasq | awk '{ print $1 }' + register: dnsmasq_id + +- name: Kill dnsmasq! + shell: docker kill "{{dnsmasq_id.stdout}}" + when: dnsmasq_id.stdout != "" + +- name: Start DNSMASQ + command: "docker run -d + --net=host + --cap-add=NET_ADMIN + -v {{files_dir}}/leases:/var/lib/misc/dnsmasq.leases:Z + -v {{files_dir}}/dnsmasq.conf:/etc/dnsmasq.conf:Z +{% if pxe_chainload %} + -v {{files_dir}}/iceundionly.kpxe:/var/lib/tftpboot/iceundionly.kpxe:Z +{% endif %} + quay.io/coreos/dnsmasq -d -q" diff --git a/ansible/roles/ansible-vvp-bootstrap/tasks/main.yml b/ansible/roles/ansible-vvp-bootstrap/tasks/main.yml new file mode 100755 index 0000000..48b545e --- /dev/null +++ b/ansible/roles/ansible-vvp-bootstrap/tasks/main.yml @@ -0,0 +1,183 @@ +# -*- encoding: utf-8 -*- +# ============LICENSE_START======================================================= +# org.onap.vvp/engagementmgr +# =================================================================== +# Copyright © 2017 AT&T Intellectual Property. All rights reserved. +# =================================================================== +# +# Unless otherwise specified, all software contained herein is licensed +# under the Apache License, Version 2.0 (the “License”); +# you may not use this software except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# +# +# Unless otherwise specified, all documentation contained herein is licensed +# under the Creative Commons License, Attribution 4.0 Intl. (the “License”); +# you may not use this documentation except in compliance with the License. +# You may obtain a copy of the License at +# +# https://creativecommons.org/licenses/by/4.0/ +# +# Unless required by applicable law or agreed to in writing, documentation +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# ============LICENSE_END============================================ +# +# ECOMP is a trademark and service mark of AT&T Intellectual Property. +--- +- name: install packages + yum: + name: "{{ item }}" + state: present + with_items: + - docker + tags: + - bootstrap + +- name: Is our management IP set? + shell: "ip addr show {{ops_management_interface}} | grep {{ops_management_ip}}" + register: mgmt_ip + tags: + - bootstrap + ignore_errors: True + +- name: Set interface address + command: ip addr add {{ops_management_ip}}/24 dev {{ops_management_interface}} + when: mgmt_ip.stdout == "" + tags: + - bootstrap + +- name: Temporarily allow all INPUT + shell: iptables -P INPUT ACCEPT + tags: + - always + +- name: Temporarily allow all OUTPUT + shell: iptables -P OUTPUT ACCEPT + tags: + - always + +- name: Flush all IPTables Rules (non nat) + shell: iptables -F + tags: + - always + +- name: Allow SSH for development environments + shell: iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT + when: ice_environment == "development" + tags: + - always + +- name: Allow SSH out for development environments + shell: iptables -A OUTPUT -p tcp -o eth0 --sport 22 -j ACCEPT + when: ice_environment == "development" + tags: + - always + +- name: Allow SSH out for development environments + shell: iptables -A OUTPUT -p tcp -o {{ops_management_interface}} --sport 22 -j ACCEPT + when: ice_environment != "development" + tags: + - always + +- name: Allow SSH for non-development environments + shell: iptables -A INPUT -p tcp -i {{ops_management_interface}} --dport 22 -j ACCEPT + when: ice_environment != "development" + tags: + - always + +- name: Allow Outbound UDP DNS + shell: iptables -A OUTPUT -p udp --dport 53 -j ACCEPT + +- name: Allow Inbound UDP DNS replies + shell: iptables -A INPUT -p udp --sport 53 -j ACCEPT + +- name: Allow Outbound Web Requests + shell: iptables -A OUTPUT -p tcp --dport {{item}} -j ACCEPT + with_items: + - 443 + - 80 + +- name: Allow Inbound Web Replies + shell: iptables -A INPUT -p tcp --sport {{item}} -m state --state ESTABLISHED,RELATED -j ACCEPT + with_items: + - 443 + - 80 +- name: Drop INPUT + shell: iptables -P INPUT DROP + tags: + - always + +- name: Drop OUTPUT + shell: iptables -P OUTPUT DROP + tags: + - always + +- name: Drop FORWARD + shell: iptables -P FORWARD DROP + tags: + - always + +- name: set additional interfaces ip + command: ip addr add {{item.value}} dev {{item.key}} + when: hostvars[inventory_hostname]["ansible_%s" % item.key] and (hostvars[inventory_hostname]["ansible_%s" % item.key]['ipv4'] is not defined or not item.value.split('/')[0] in hostvars[inventory_hostname]["ansible_%s" % item.key]['ipv4']['address']) + with_dict: "{{ additional_interfaces }}" + +- name: Bring additional interfaces up + command: ifup {{item.key}} + when: hostvars[inventory_hostname]["ansible_%s" % item.key] and (hostvars[inventory_hostname]["ansible_%s" % item.key]['ipv4'] is not defined or not item.value.split('/')[0] in hostvars[inventory_hostname]["ansible_%s" % item.key]['ipv4']['address']) + with_dict: "{{ additional_interfaces }}" + +- name: Add self to resolv.conf + lineinfile: + dest: /etc/resolv.conf + line: "nameserver {{ops_management_ip}}" + insertbefore: BOF + +- name: start docker + command: systemctl restart docker + tags: + - always + +- name: Disable Forwarding + command: "echo 0 > /proc/sys/net/ipv4/ip_forward" + tags: + - bootstrap + +######################### +# FILESYSTEM +# +- name: Create files DIR + file: state=directory path="{{files_dir}}" mode=0755 + tags: + - bootstrap + - tls + +- include: matchbox.yml + tags: + - bootstrap + - matchbox + + +- include: tls.yml + tags: + - bootstrap + - tls + +- include: dnsmasq.yml + tags: + - bootstrap + - dnsmasq + diff --git a/ansible/roles/ansible-vvp-bootstrap/tasks/matchbox.yml b/ansible/roles/ansible-vvp-bootstrap/tasks/matchbox.yml new file mode 100755 index 0000000..7e4ea87 --- /dev/null +++ b/ansible/roles/ansible-vvp-bootstrap/tasks/matchbox.yml @@ -0,0 +1,137 @@ +# -*- encoding: utf-8 -*- +# ============LICENSE_START======================================================= +# org.onap.vvp/engagementmgr +# =================================================================== +# Copyright © 2017 AT&T Intellectual Property. All rights reserved. +# =================================================================== +# +# Unless otherwise specified, all software contained herein is licensed +# under the Apache License, Version 2.0 (the “License”); +# you may not use this software except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# +# +# Unless otherwise specified, all documentation contained herein is licensed +# under the Creative Commons License, Attribution 4.0 Intl. (the “License”); +# you may not use this documentation except in compliance with the License. +# You may obtain a copy of the License at +# +# https://creativecommons.org/licenses/by/4.0/ +# +# Unless required by applicable law or agreed to in writing, documentation +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# ============LICENSE_END============================================ +# +# ECOMP is a trademark and service mark of AT&T Intellectual Property. +- name: Create assets directory + file: path="{{coreos_assets_dir}}" state=directory mode="0755" + tags: + - bootstrap + - matchbox + +- name: Download PXE image + get_url: url="http://{{coreos_channel}}.release.core-os.net/amd64-usr/{{coreos_version}}/{{item}}" dest="{{coreos_assets_dir}}/{{item}}" + with_items: + - "coreos_production_pxe.vmlinuz" + - "coreos_production_pxe.vmlinuz.sig" + - "coreos_production_pxe_image.cpio.gz" + - "coreos_production_pxe_image.cpio.gz.sig" + - "coreos_production_image.bin.bz2" + - "coreos_production_image.bin.bz2.sig" + tags: + - bootstrap + - matchbox + +- name: Retrieve the signing key + get_url: url="https://coreos.com/security/image-signing-key/CoreOS_Image_Signing_Key.asc" dest="{{coreos_assets_dir}}/CoreOS_Image_Signing_Key.asc" + tags: + - bootstrap + - matchbox + +- name: Import signing key + command: "gpg --import {{coreos_assets_dir}}/CoreOS_Image_Signing_Key.asc" + tags: + - bootstrap + - matchbox + +- name: Adding trust for CoreOS Signing key + command: 'echo "04126D0BFABEC8871FFB2CCE50E0885593D2DCB4:6:" | gpg --import-ownertrust' + tags: + - bootstrap + - matchbox + +- name: Verifying vmlinuz + command: "gpg --verify {{coreos_assets_dir}}/{{item}}" + with_items: + - "coreos_production_pxe.vmlinuz.sig" + - "coreos_production_pxe_image.cpio.gz.sig" + tags: + - bootstrap + - matchbox + + +- name: Create matchbox directory + file: path="{{matchbox_dir}}" state=directory mode=0754 + tags: + - bootstrap + - matchbox + +- name: Create groups, profiles and ignition directories + file: path="{{matchbox_dir}}/{{item}}" state=directory mode=0754 + with_items: + - groups + - profiles + - ignition + +- name: matchbox k7 groups templates + template: + src: "groups/group.json.j2" + dest: "{{matchbox_dir}}/groups/{{item.name}}.json" + with_items: "{{hosts}}" + when: item.os == "coreos" + +- name: Allow Inbound 8080 web requests + shell: iptables -A INPUT -p udp --dport 8080 -i {{ops_management_interface}} -j ACCEPT + +- name: Allow Outbound 8080 web replies + shell: iptables -A OUTPUT -p udp --sport 8080 -o {{ops_management_interface}} -j ACCEPT + +- name: Create TLS assets directory + file: path="{{assets_dir}}/tls" state=directory mode=643 + +- name: matchbox k8 other templates + template: + src: "{{item}}.j2" + dest: "{{matchbox_dir}}/{{item}}" + with_items: + - groups/install.json + - profiles/controller.json + - profiles/worker.json + - profiles/install-reboot.json + - ignition/controller.yaml + - ignition/coreos-install.yaml + - ignition/worker.yaml + +- name: Is matchbox already running? + shell: docker ps | grep matchbox | awk '{ print $1 }' + register: matchbox_id + +- name: Kill matchbox! + shell: docker kill {{matchbox_id.stdout}} + when: matchbox_id.stdout != "" + +- name: matchbox docker + command: docker run -d -p {{ops_management_ip}}:8080:8080 -v {{assets_dir}}:/assets:Z -v {{matchbox_dir}}:/var/lib/matchbox:Z quay.io/coreos/matchbox:v0.5.0 -address=0.0.0.0:8080 -log-level=debug -assets-path=/assets diff --git a/ansible/roles/ansible-vvp-bootstrap/tasks/tls.yml b/ansible/roles/ansible-vvp-bootstrap/tasks/tls.yml new file mode 100755 index 0000000..e0346cf --- /dev/null +++ b/ansible/roles/ansible-vvp-bootstrap/tasks/tls.yml @@ -0,0 +1,150 @@ +# -*- encoding: utf-8 -*- +# ============LICENSE_START======================================================= +# org.onap.vvp/engagementmgr +# =================================================================== +# Copyright © 2017 AT&T Intellectual Property. All rights reserved. +# =================================================================== +# +# Unless otherwise specified, all software contained herein is licensed +# under the Apache License, Version 2.0 (the “License”); +# you may not use this software except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# +# +# Unless otherwise specified, all documentation contained herein is licensed +# under the Creative Commons License, Attribution 4.0 Intl. (the “License”); +# you may not use this documentation except in compliance with the License. +# You may obtain a copy of the License at +# +# https://creativecommons.org/licenses/by/4.0/ +# +# Unless required by applicable law or agreed to in writing, documentation +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# ============LICENSE_END============================================ +# +# ECOMP is a trademark and service mark of AT&T Intellectual Property. +- name: create TLS dir + file: + state: directory + path: "{{files_dir}}/tls" + mode: 0755 + tags: + - bootstrap + - tls + +- name: create TLS dir + file: + state: directory + path: "{{assets_dir}}/tls" + mode: 0755 + tags: + - bootstrap + - tls + +- stat: path="{{files_dir}}/tls/ca-key.pem" + register: ca_key + +- name: create root CA + shell: openssl genrsa -out {{files_dir}}/tls/ca-key.pem 2048 + when: not ca_key.stat.exists + +- stat: path="{{files_dir}}/tls/ca.pem" + register: ca + +- name: create self signed cert + shell: openssl req -x509 -new -nodes -key {{files_dir}}/tls/ca-key.pem -days 10000 -out {{files_dir}}/tls/ca.pem -subj "/CN=kube-ca" + when: not ca.stat.exists + +- name: Generate Config File + template: + src: openssl.config.j2 + dest: "{{files_dir}}/tls/{{item}}-openssl.config" + with_items: + - admin + - apiserver + - worker + +- stat: path={{files_dir}}/tls/{{item}}-key.pem + register: keyfiles + with_items: + - admin + - apiserver + - worker + +- name: create keyfile + shell: openssl genrsa -out {{files_dir}}/tls/{{item.item}}-key.pem 2048 + with_items: "{{keyfiles.results}}" + when: not item.stat.exists + +- stat: path={{files_dir}}/tls/{{item}}.csr + register: csr_files + with_items: + - admin + - apiserver + - worker + +- name: Create csr + shell: openssl req -new -key {{files_dir}}/tls/{{item.item}}-key.pem -out {{files_dir}}/tls/{{item.item}}.csr -subj "/CN=kube-{{item.item}}" -config {{files_dir}}/tls/{{item.item}}-openssl.config + with_items: "{{csr_files.results}}" + when: not item.stat.exists + +- stat: path={{files_dir}}/tls/{{item}}.pem + register: pem_files + with_items: + - admin + - apiserver + - worker + +- name: Create pemfile + shell: openssl x509 -req -in {{files_dir}}/tls/{{item.item}}.csr -CA {{files_dir}}/tls/ca.pem -CAkey {{files_dir}}/tls/ca-key.pem -CAcreateserial -out {{files_dir}}/tls/{{item.item}}.pem -days 365 -extensions v3_req -extfile {{files_dir}}/tls/{{item.item}}-openssl.config + with_items: "{{pem_files.results}}" + when: not item.stat.exists + +- name: Copy tls related files to assets + copy: + src: "{{files_dir}}/{{item}}" + dest: "{{assets_dir}}/{{item}}" + remote_src: yes + backup: yes + with_items: + - tls/apiserver-key.pem + - tls/apiserver.pem + - tls/ca.pem + - tls/worker-key.pem + - tls/worker.pem + +- name: Encode Admin Cert + shell: base64 -w 0 {{files_dir}}/tls/admin.pem + register: ADMIN_CERT_BASE64 + +- name: Encode Admin Key + shell: base64 -w 0 {{files_dir}}/tls/admin-key.pem + register: ADMIN_KEY_BASE64 + +- name: Encode CA Cert + shell: base64 -w 0 {{files_dir}}/tls/ca.pem + register: CA_CERT_BASE64 + +- name: Render kubeconfig + template: + src: kubeconfig.j2 + dest: "{{files_dir}}/kubeconfig" + +- name: Fetch the new kubeconfig + fetch: + src: "{{files_dir}}/kubeconfig" + dest: "{{inventory_dir}}/../k8/" + flat: yes |