From f52ddcb67f75aeb6bd72fecfd4a133ae1eb56666 Mon Sep 17 00:00:00 2001
From: Paul McGoldrick <paul.mcgoldrick@att.com>
Date: Thu, 28 Sep 2017 10:03:38 -0700
Subject: initial seed code commit VVP-3

Change-Id: I6c9fede9b75ebaf1bcba2ad14f09f021fea63d21
Signed-off-by: Paul McGoldrick <paul.mcgoldrick@att.com>
---
 .../roles/ansible-vvp-bootstrap/tasks/dnsmasq.yml  | 103 ++++++++++++
 ansible/roles/ansible-vvp-bootstrap/tasks/main.yml | 183 +++++++++++++++++++++
 .../roles/ansible-vvp-bootstrap/tasks/matchbox.yml | 137 +++++++++++++++
 ansible/roles/ansible-vvp-bootstrap/tasks/tls.yml  | 150 +++++++++++++++++
 4 files changed, 573 insertions(+)
 create mode 100755 ansible/roles/ansible-vvp-bootstrap/tasks/dnsmasq.yml
 create mode 100755 ansible/roles/ansible-vvp-bootstrap/tasks/main.yml
 create mode 100755 ansible/roles/ansible-vvp-bootstrap/tasks/matchbox.yml
 create mode 100755 ansible/roles/ansible-vvp-bootstrap/tasks/tls.yml

(limited to 'ansible/roles/ansible-vvp-bootstrap/tasks')

diff --git a/ansible/roles/ansible-vvp-bootstrap/tasks/dnsmasq.yml b/ansible/roles/ansible-vvp-bootstrap/tasks/dnsmasq.yml
new file mode 100755
index 0000000..48dad1c
--- /dev/null
+++ b/ansible/roles/ansible-vvp-bootstrap/tasks/dnsmasq.yml
@@ -0,0 +1,103 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+- name: Install nf_conntrack_tftp
+  modprobe:
+    name: nf_conntrack_tftp
+    state: present
+
+- name: Copy our pxe client
+  copy: src=iceundionly.kpxe dest="{{files_dir}}/iceundionly.kpxe"
+  when: pxe_chainload
+
+- name: Create DNSMASQ leases file
+  file: path="{{files_dir}}/leases" mode=0644 state=touch
+
+- name: DROP DNS, tftp requests from public
+  shell: iptables -I INPUT 1 -p udp --dport {{item}} -i {{ops_public_interface}} -j DROP
+  with_items:
+  - 53
+  - 69
+
+- name: DROP DNS, tftp requests to public
+  shell: iptables -I OUTPUT 1 -p udp --sport {{item}} -o {{ops_public_interface}} -j DROP
+  with_items:
+  - 53
+  - 69
+
+- name: Allow Inbound UDP DHCP Requests
+  shell: iptables -A INPUT -p udp --dport {{item}} -j ACCEPT
+  with_items:
+  - 53
+  - 67:69
+
+- name: Allow Outbound UDP DNS, DHCP
+  shell: iptables -A OUTPUT -p udp --sport {{item}} -j ACCEPT
+  with_items:
+  - 53
+  - 67:69
+
+- name: Allow TFTP file transfers on arbitrary ports.
+  shell: 'iptables -A OUTPUT -p udp -o {{ ops_management_interface }} --sport 1023: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT'
+
+- name: Allow TFTP file transfers on arbitrary ports.
+  shell: 'iptables -A INPUT -p udp -i {{ops_management_interface}} --dport 1023: -m state --state ESTABLISHED,RELATED -j ACCEPT'
+
+- name: Render DNSMASQ configuration
+  template:
+    src: dnsmasq.conf.j2
+    dest: "{{files_dir}}/dnsmasq.conf"
+
+- name: Is dnsmasq already running?
+  shell: docker ps | grep dnsmasq | awk '{ print $1 }'
+  register: dnsmasq_id
+
+- name: Kill dnsmasq!
+  shell: docker kill "{{dnsmasq_id.stdout}}"
+  when: dnsmasq_id.stdout != ""
+
+- name: Start DNSMASQ
+  command: "docker run -d
+    --net=host
+    --cap-add=NET_ADMIN
+    -v {{files_dir}}/leases:/var/lib/misc/dnsmasq.leases:Z
+    -v {{files_dir}}/dnsmasq.conf:/etc/dnsmasq.conf:Z
+{% if pxe_chainload %}
+    -v {{files_dir}}/iceundionly.kpxe:/var/lib/tftpboot/iceundionly.kpxe:Z
+{% endif %}
+    quay.io/coreos/dnsmasq -d -q"
diff --git a/ansible/roles/ansible-vvp-bootstrap/tasks/main.yml b/ansible/roles/ansible-vvp-bootstrap/tasks/main.yml
new file mode 100755
index 0000000..48b545e
--- /dev/null
+++ b/ansible/roles/ansible-vvp-bootstrap/tasks/main.yml
@@ -0,0 +1,183 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+---
+- name: install packages
+  yum:
+    name: "{{ item }}"
+    state: present
+  with_items:
+  - docker
+  tags:
+  - bootstrap
+
+- name: Is our management IP set?
+  shell: "ip addr show {{ops_management_interface}} | grep {{ops_management_ip}}"
+  register: mgmt_ip
+  tags:
+  - bootstrap
+  ignore_errors: True
+
+- name: Set interface address
+  command: ip addr add {{ops_management_ip}}/24 dev {{ops_management_interface}}
+  when: mgmt_ip.stdout == ""
+  tags:
+  - bootstrap
+
+- name: Temporarily allow all INPUT
+  shell: iptables -P INPUT ACCEPT
+  tags:
+  - always
+
+- name: Temporarily allow all OUTPUT
+  shell: iptables -P OUTPUT ACCEPT
+  tags:
+  - always
+
+- name: Flush all IPTables Rules (non nat)
+  shell: iptables -F
+  tags:
+  - always
+
+- name: Allow SSH for development environments
+  shell: iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
+  when: ice_environment == "development"
+  tags:
+  - always
+
+- name: Allow SSH out for development environments
+  shell: iptables -A OUTPUT -p tcp -o eth0 --sport 22 -j ACCEPT
+  when: ice_environment == "development"
+  tags:
+  - always
+
+- name: Allow SSH out for development environments
+  shell: iptables -A OUTPUT -p tcp -o {{ops_management_interface}} --sport 22 -j ACCEPT
+  when: ice_environment != "development"
+  tags:
+  - always
+
+- name: Allow SSH for non-development environments
+  shell: iptables -A INPUT -p tcp -i {{ops_management_interface}} --dport 22 -j ACCEPT
+  when: ice_environment != "development"
+  tags:
+  - always
+
+- name: Allow Outbound UDP DNS
+  shell: iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
+
+- name: Allow Inbound UDP DNS replies
+  shell: iptables -A INPUT -p udp --sport 53 -j ACCEPT
+
+- name: Allow Outbound Web Requests
+  shell: iptables -A OUTPUT -p tcp --dport {{item}} -j ACCEPT
+  with_items:
+  - 443
+  - 80
+
+- name: Allow Inbound Web Replies
+  shell: iptables -A INPUT -p tcp --sport {{item}} -m state  --state ESTABLISHED,RELATED -j ACCEPT
+  with_items:
+  - 443
+  - 80
+- name: Drop INPUT
+  shell: iptables -P INPUT DROP
+  tags:
+  - always
+
+- name: Drop OUTPUT
+  shell: iptables -P OUTPUT DROP
+  tags:
+  - always
+
+- name: Drop FORWARD
+  shell: iptables -P FORWARD DROP
+  tags:
+  - always
+
+- name: set additional interfaces ip
+  command: ip addr add {{item.value}} dev {{item.key}}
+  when: hostvars[inventory_hostname]["ansible_%s" % item.key] and (hostvars[inventory_hostname]["ansible_%s" % item.key]['ipv4'] is not defined or not item.value.split('/')[0] in hostvars[inventory_hostname]["ansible_%s" % item.key]['ipv4']['address'])
+  with_dict: "{{ additional_interfaces }}"
+
+- name: Bring additional interfaces up
+  command: ifup {{item.key}}
+  when: hostvars[inventory_hostname]["ansible_%s" % item.key] and (hostvars[inventory_hostname]["ansible_%s" % item.key]['ipv4'] is not defined or not item.value.split('/')[0] in hostvars[inventory_hostname]["ansible_%s" % item.key]['ipv4']['address'])
+  with_dict: "{{ additional_interfaces }}"
+
+- name: Add self to resolv.conf
+  lineinfile:
+    dest: /etc/resolv.conf
+    line: "nameserver {{ops_management_ip}}"
+    insertbefore: BOF
+
+- name: start docker
+  command: systemctl restart docker
+  tags:
+  - always
+
+- name: Disable Forwarding
+  command: "echo 0 > /proc/sys/net/ipv4/ip_forward"
+  tags:
+  - bootstrap
+
+#########################
+# FILESYSTEM
+#
+- name: Create files DIR
+  file: state=directory  path="{{files_dir}}" mode=0755
+  tags:
+  - bootstrap
+  - tls
+
+- include: matchbox.yml
+  tags:
+  - bootstrap
+  - matchbox
+
+
+- include: tls.yml
+  tags:
+  - bootstrap
+  - tls
+
+- include: dnsmasq.yml
+  tags:
+  - bootstrap
+  - dnsmasq
+
diff --git a/ansible/roles/ansible-vvp-bootstrap/tasks/matchbox.yml b/ansible/roles/ansible-vvp-bootstrap/tasks/matchbox.yml
new file mode 100755
index 0000000..7e4ea87
--- /dev/null
+++ b/ansible/roles/ansible-vvp-bootstrap/tasks/matchbox.yml
@@ -0,0 +1,137 @@
+# -*- encoding: utf-8 -*- 
+# ============LICENSE_START======================================================= 
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+- name: Create assets directory
+  file: path="{{coreos_assets_dir}}" state=directory mode="0755"
+  tags:
+    - bootstrap
+    - matchbox
+
+- name: Download PXE image
+  get_url: url="http://{{coreos_channel}}.release.core-os.net/amd64-usr/{{coreos_version}}/{{item}}" dest="{{coreos_assets_dir}}/{{item}}"
+  with_items:
+    - "coreos_production_pxe.vmlinuz"
+    - "coreos_production_pxe.vmlinuz.sig"
+    - "coreos_production_pxe_image.cpio.gz"
+    - "coreos_production_pxe_image.cpio.gz.sig"
+    - "coreos_production_image.bin.bz2"
+    - "coreos_production_image.bin.bz2.sig"
+  tags:
+    - bootstrap
+    - matchbox
+
+- name: Retrieve the signing key
+  get_url: url="https://coreos.com/security/image-signing-key/CoreOS_Image_Signing_Key.asc" dest="{{coreos_assets_dir}}/CoreOS_Image_Signing_Key.asc"
+  tags:
+    - bootstrap
+    - matchbox
+
+- name: Import signing key
+  command: "gpg --import {{coreos_assets_dir}}/CoreOS_Image_Signing_Key.asc"
+  tags:
+    - bootstrap
+    - matchbox
+
+- name: Adding trust for CoreOS Signing key
+  command: 'echo "04126D0BFABEC8871FFB2CCE50E0885593D2DCB4:6:" | gpg --import-ownertrust'
+  tags:
+    - bootstrap
+    - matchbox
+
+- name: Verifying vmlinuz
+  command: "gpg --verify {{coreos_assets_dir}}/{{item}}"
+  with_items:
+    - "coreos_production_pxe.vmlinuz.sig"
+    - "coreos_production_pxe_image.cpio.gz.sig"
+  tags:
+    - bootstrap
+    - matchbox
+
+
+- name: Create matchbox directory
+  file: path="{{matchbox_dir}}" state=directory mode=0754
+  tags:
+    - bootstrap
+    - matchbox
+
+- name: Create groups, profiles and ignition directories
+  file: path="{{matchbox_dir}}/{{item}}" state=directory mode=0754
+  with_items:
+    - groups
+    - profiles
+    - ignition
+
+- name: matchbox k7 groups templates
+  template:
+    src: "groups/group.json.j2"
+    dest: "{{matchbox_dir}}/groups/{{item.name}}.json"
+  with_items: "{{hosts}}"
+  when: item.os == "coreos"
+
+- name: Allow Inbound 8080 web requests
+  shell: iptables -A INPUT -p udp --dport 8080 -i {{ops_management_interface}} -j ACCEPT
+
+- name: Allow Outbound 8080 web replies
+  shell: iptables -A OUTPUT -p udp --sport 8080 -o {{ops_management_interface}} -j ACCEPT
+
+- name: Create TLS assets directory
+  file: path="{{assets_dir}}/tls" state=directory mode=643
+
+- name: matchbox k8 other templates
+  template:
+    src: "{{item}}.j2"
+    dest: "{{matchbox_dir}}/{{item}}"
+  with_items:
+    - groups/install.json
+    - profiles/controller.json
+    - profiles/worker.json
+    - profiles/install-reboot.json
+    - ignition/controller.yaml
+    - ignition/coreos-install.yaml
+    - ignition/worker.yaml
+
+- name: Is matchbox already running?
+  shell: docker ps | grep matchbox | awk '{ print $1 }'
+  register: matchbox_id
+
+- name: Kill matchbox!
+  shell: docker kill {{matchbox_id.stdout}}
+  when: matchbox_id.stdout != ""
+
+- name: matchbox docker
+  command: docker run -d -p {{ops_management_ip}}:8080:8080 -v {{assets_dir}}:/assets:Z -v {{matchbox_dir}}:/var/lib/matchbox:Z quay.io/coreos/matchbox:v0.5.0 -address=0.0.0.0:8080 -log-level=debug -assets-path=/assets
diff --git a/ansible/roles/ansible-vvp-bootstrap/tasks/tls.yml b/ansible/roles/ansible-vvp-bootstrap/tasks/tls.yml
new file mode 100755
index 0000000..e0346cf
--- /dev/null
+++ b/ansible/roles/ansible-vvp-bootstrap/tasks/tls.yml
@@ -0,0 +1,150 @@
+# -*- encoding: utf-8 -*-
+# ============LICENSE_START=======================================================
+# org.onap.vvp/engagementmgr
+# ===================================================================
+# Copyright © 2017 AT&T Intellectual Property. All rights reserved.
+# ===================================================================
+#
+# Unless otherwise specified, all software contained herein is licensed
+# under the Apache License, Version 2.0 (the “License”);
+# you may not use this software except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+#
+#
+# Unless otherwise specified, all documentation contained herein is licensed
+# under the Creative Commons License, Attribution 4.0 Intl. (the “License”);
+# you may not use this documentation except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#             https://creativecommons.org/licenses/by/4.0/
+#
+# Unless required by applicable law or agreed to in writing, documentation
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# ============LICENSE_END============================================
+#
+# ECOMP is a trademark and service mark of AT&T Intellectual Property.
+- name: create TLS dir
+  file:
+    state: directory
+    path: "{{files_dir}}/tls"
+    mode: 0755
+  tags:
+  - bootstrap
+  - tls
+
+- name: create TLS dir
+  file:
+    state: directory
+    path: "{{assets_dir}}/tls"
+    mode: 0755
+  tags:
+  - bootstrap
+  - tls
+
+- stat: path="{{files_dir}}/tls/ca-key.pem"
+  register: ca_key
+
+- name: create root CA
+  shell: openssl genrsa -out {{files_dir}}/tls/ca-key.pem 2048
+  when: not ca_key.stat.exists
+
+- stat: path="{{files_dir}}/tls/ca.pem"
+  register: ca
+
+- name: create self signed cert
+  shell: openssl req -x509 -new -nodes -key {{files_dir}}/tls/ca-key.pem -days 10000 -out {{files_dir}}/tls/ca.pem -subj "/CN=kube-ca"
+  when: not ca.stat.exists
+
+- name: Generate Config File
+  template:
+    src: openssl.config.j2
+    dest: "{{files_dir}}/tls/{{item}}-openssl.config"
+  with_items:
+  - admin
+  - apiserver
+  - worker
+
+- stat: path={{files_dir}}/tls/{{item}}-key.pem
+  register: keyfiles
+  with_items:
+  - admin
+  - apiserver
+  - worker
+
+- name: create keyfile
+  shell: openssl genrsa -out {{files_dir}}/tls/{{item.item}}-key.pem 2048
+  with_items: "{{keyfiles.results}}"
+  when: not item.stat.exists
+
+- stat: path={{files_dir}}/tls/{{item}}.csr
+  register: csr_files
+  with_items:
+  - admin
+  - apiserver
+  - worker
+
+- name: Create csr
+  shell: openssl req -new -key {{files_dir}}/tls/{{item.item}}-key.pem -out {{files_dir}}/tls/{{item.item}}.csr -subj "/CN=kube-{{item.item}}" -config {{files_dir}}/tls/{{item.item}}-openssl.config
+  with_items: "{{csr_files.results}}"
+  when: not item.stat.exists
+
+- stat: path={{files_dir}}/tls/{{item}}.pem
+  register: pem_files
+  with_items:
+  - admin
+  - apiserver
+  - worker
+
+- name: Create pemfile
+  shell: openssl x509 -req -in {{files_dir}}/tls/{{item.item}}.csr -CA {{files_dir}}/tls/ca.pem -CAkey {{files_dir}}/tls/ca-key.pem -CAcreateserial -out {{files_dir}}/tls/{{item.item}}.pem -days 365 -extensions v3_req -extfile {{files_dir}}/tls/{{item.item}}-openssl.config
+  with_items: "{{pem_files.results}}"
+  when: not item.stat.exists
+
+- name: Copy tls related files to assets
+  copy:
+    src: "{{files_dir}}/{{item}}"
+    dest: "{{assets_dir}}/{{item}}"
+    remote_src: yes
+    backup: yes
+  with_items:
+    - tls/apiserver-key.pem
+    - tls/apiserver.pem
+    - tls/ca.pem
+    - tls/worker-key.pem
+    - tls/worker.pem
+
+- name: Encode Admin Cert
+  shell: base64 -w 0 {{files_dir}}/tls/admin.pem
+  register: ADMIN_CERT_BASE64
+
+- name: Encode Admin Key
+  shell: base64 -w 0 {{files_dir}}/tls/admin-key.pem
+  register: ADMIN_KEY_BASE64
+
+- name: Encode CA Cert
+  shell: base64 -w 0 {{files_dir}}/tls/ca.pem
+  register: CA_CERT_BASE64
+
+- name: Render kubeconfig
+  template:
+    src: kubeconfig.j2
+    dest: "{{files_dir}}/kubeconfig"
+
+- name: Fetch the new kubeconfig
+  fetch:
+    src: "{{files_dir}}/kubeconfig"
+    dest: "{{inventory_dir}}/../k8/"
+    flat: yes
-- 
cgit