diff --git a/ansible/roles/crc-cloud/defaults/main.yaml b/ansible/roles/crc-cloud/defaults/main.yaml new file mode 100644 index 00000000..d9157333 --- /dev/null +++ b/ansible/roles/crc-cloud/defaults/main.yaml @@ -0,0 +1,34 @@ +--- +dnsmasq_conf_path: /etc/dnsmasq.d/crc-dnsmasq.conf +pull_secret: "" +eip: crc.dev +altnernative_domain: nip.io + +# wait for resource +max_retry: 20 +wait_interval: 5 + +# wait cluster become healthy +wait_components: "authentication|console|etcd|ingress|openshift-apiserver" +max_retries: 20 +retry_delay: 5 + +pass_developer: _PASS_DEVELOPER_ +pass_kubeadmin: _PASS_KUBEADMIN_ +pass_redhat: _PASS_REDHAT_ + +users: + - name: developer + password: "{{ pass_developer }}" + - name: kubeadmin + password: "{{ pass_kubeadmin }}" + - name: redhat + password: "{{ pass_redhat }}" + +# replace default ca +ca_user: "system:admin" +ca_group: "system:masters" +ca_user_subj: "/O=${GROUP}/CN=${USER}" +ca_name: "custom" +ca_subj: "/OU=openshift/CN=admin-kubeconfig-signer-custom" +ca_validity: 3650 diff --git a/ansible/roles/crc-cloud/tasks/console_route.yaml b/ansible/roles/crc-cloud/tasks/console_route.yaml new file mode 100644 index 00000000..57e9c5c6 --- /dev/null +++ b/ansible/roles/crc-cloud/tasks/console_route.yaml @@ -0,0 +1,16 @@ +--- +# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L282 +- name: Get route to console custom + ansible.builtin.shell: | + oc get route console-custom -n openshift-console + register: _route_console_custom + until: _route_console_custom.rc != 1 + retries: 60 + delay: 10 + changed_when: false + +- name: Get console route + ansible.builtin.shell: > + oc get route console-custom + -n openshift-console + -o json | jq -r '.spec.host' diff --git a/ansible/roles/crc-cloud/tasks/create_certificate_and_patch_secret.yaml b/ansible/roles/crc-cloud/tasks/create_certificate_and_patch_secret.yaml new file mode 100644 index 00000000..e9b6a946 --- /dev/null +++ b/ansible/roles/crc-cloud/tasks/create_certificate_and_patch_secret.yaml @@ -0,0 +1,20 @@ +--- +# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L185 +- name: Create alternative cert + ansible.builtin.shell: > + openssl req + -newkey rsa:2048 + -new -nodes + -x509 + -days 3650 + -keyout nip.key + -out nip.crt + -subj "/CN={{ eip }}.{{ alternative_domain }}" + -addext "subjectAltName=DNS:apps.{{ eip }}.{{ alternative_domain }},DNS:*.apps.{{ eip }}.{{ alternative_domain }},DNS:api.{{ eip }}.{{ alternative_domain }}" + +- name: "Create secret for {{ alternative_domain }}" + ansible.builtin.command: > + oc create secret tls nip-secret + --cert=nip.crt + --key=nip.key + -n openshift-config diff --git a/ansible/roles/crc-cloud/tasks/dnsmasq.yaml b/ansible/roles/crc-cloud/tasks/dnsmasq.yaml new file mode 100644 index 00000000..37e0c01d --- /dev/null +++ b/ansible/roles/crc-cloud/tasks/dnsmasq.yaml @@ -0,0 +1,41 @@ +--- +# From https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L101 +- name: Create crc-dnsmasq.conf + become: true + ansible.builtin.copy: + content: | + listen-address={{ ansible_default_ipv4.address }} + expand-hosts + log-queries + local=/crc.testing/ + domain=crc.testing + address=/apps-crc.testing/{{ ansible_default_ipv4.address }} + address=/api.crc.testing/{{ ansible_default_ipv4.address }} + address=/api-int.crc.testing/{{ ansible_default_ipv4.address }} + address=/$hostName.crc.testing/192.168.126.11 + dest: "{{ dnsmasq_conf_path }}" + register: _dnsmasq_conf + +- name: Set DNS servers for Wired connection 1 + become: true + community.general.nmcli: + conn_name: "Wired connection 1" + state: present + type: ethernet + ipv4.dns: "{{ ansible_default_ipv4.address }},169.254.169.254" + register: _nm_wired_conn + +- name: Restart NetworkManager when its needed + when: _nm_wired_conn.changed + become: true + ansible.builtin.systemd: + name: NetworkManager + state: restarted + +- name: Restart dnsmasq + when: _dnsmasq_conf.changed + become: true + ansible.builtin.systemd: + name: dnsmasq + state: restarted + enabled: true diff --git a/ansible/roles/crc-cloud/tasks/get_htpasswd.yaml b/ansible/roles/crc-cloud/tasks/get_htpasswd.yaml new file mode 100644 index 00000000..15491d50 --- /dev/null +++ b/ansible/roles/crc-cloud/tasks/get_htpasswd.yaml @@ -0,0 +1,4 @@ +--- +- name: "Get htpasswd for {{ user.name }}" + ansible.builtin.shell: | + podman run --rm -ti xmartlabs/htpasswd developer {{ user.password }} > htpasswd.{{ user.name }} diff --git a/ansible/roles/crc-cloud/tasks/kubeconfig.yaml b/ansible/roles/crc-cloud/tasks/kubeconfig.yaml new file mode 100644 index 00000000..baacdeb3 --- /dev/null +++ b/ansible/roles/crc-cloud/tasks/kubeconfig.yaml @@ -0,0 +1,15 @@ +--- +- name: Create kube directory + ansible.builtin.file: + path: .kube + state: directory + owner: core + group: core + +- name: Copy kubeconfig to user dir + ansible.builtin.copy: + src: /opt/kubeconfig + dest: .kube/config + remote_src: true + owner: core + group: core diff --git a/ansible/roles/crc-cloud/tasks/kubelet.yaml b/ansible/roles/crc-cloud/tasks/kubelet.yaml new file mode 100644 index 00000000..c8cb1790 --- /dev/null +++ b/ansible/roles/crc-cloud/tasks/kubelet.yaml @@ -0,0 +1,8 @@ +--- +# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L132 +- name: Start and enable kubelet + become: true + ansible.builtin.systemd: + name: kubelet + state: started + enabled: true diff --git a/ansible/roles/crc-cloud/tasks/login.yaml b/ansible/roles/crc-cloud/tasks/login.yaml new file mode 100644 index 00000000..8707d92d --- /dev/null +++ b/ansible/roles/crc-cloud/tasks/login.yaml @@ -0,0 +1,14 @@ +--- +# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L67 +- name: Try to login after all changes + ansible.builtin.command: > + oc login + --insecure-skip-tls-verify=true + -u kubeadmin + -p "{{ pass_kubeadmin }}" + https://api.crc.testing:6443 + register: _openshift_login + until: _openshift_login.rc != 1 + retries: 60 + delay: 10 + changed_when: false diff --git a/ansible/roles/crc-cloud/tasks/main.yaml b/ansible/roles/crc-cloud/tasks/main.yaml new file mode 100644 index 00000000..3f86d424 --- /dev/null +++ b/ansible/roles/crc-cloud/tasks/main.yaml @@ -0,0 +1,56 @@ +--- +- name: Check if pull-secret is provided + when: not pull_secret + ansible.builtin.fail: + msg: "You need to provide pull_secret variable!" + +- name: Create kubeconfig + ansible.builtin.include_tasks: kubeconfig.yaml + +- name: Setup dnsmasq + ansible.builtin.include_tasks: dnsmasq.yaml + +- name: Start kubelet + ansible.builtin.include_tasks: kubelet.yaml + +- name: Replace default pubkey + ansible.builtin.include_tasks: pubkey.yaml + +- name: Wait for cluster become healthy + ansible.builtin.include_tasks: wait_cluster_become_healthy.yaml + +- name: Set credentials + ansible.builtin.include_tasks: set_credentials.yaml + +- name: Replace default CA + ansible.builtin.include_tasks: replace_default_ca.yaml + +- name: Login to the OpenShift cluster + ansible.builtin.include_tasks: login.yaml + +- name: Patch pull secret + ansible.builtin.include_tasks: patch_pull_secret.yaml + +- name: Wait for cluster become healthy after patching CA and pull secret + ansible.builtin.include_tasks: wait_cluster_become_healthy.yaml + +- name: Create certificate and patch secret + ansible.builtin.include_tasks: create_certificate_and_patch_secret.yaml + +- name: Wait for cluster become healthy after adding domain + ansible.builtin.include_tasks: wait_cluster_become_healthy.yaml + +- name: Patch ingress config + ansible.builtin.include_tasks: patch_ingress_config.yaml + +- name: Patch api server + ansible.builtin.include_tasks: patch_api_server.yaml + +- name: Patch default route + ansible.builtin.include_tasks: patch_default_route.yaml + +- name: Wait for cluster become healthy after changing ingress api server and default route + ansible.builtin.include_tasks: wait_cluster_become_healthy.yaml + +- name: Get console route + ansible.builtin.include_tasks: console_route.yaml diff --git a/ansible/roles/crc-cloud/tasks/patch_api_server.yaml b/ansible/roles/crc-cloud/tasks/patch_api_server.yaml new file mode 100644 index 00000000..95cd8774 --- /dev/null +++ b/ansible/roles/crc-cloud/tasks/patch_api_server.yaml @@ -0,0 +1,7 @@ +--- +# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L215 +- name: Patch apiserver + ansible.builtin.shell: > + oc patch apiserver cluster + --type=merge + -p '{"spec":{"servingCerts": {"namedCertificates":[{"names":["api.{{ eip }}.{{ alternative_domain }}"],"servingCertificate": {"name": "nip-secret"}}]}' diff --git a/ansible/roles/crc-cloud/tasks/patch_default_route.yaml b/ansible/roles/crc-cloud/tasks/patch_default_route.yaml new file mode 100644 index 00000000..688129e2 --- /dev/null +++ b/ansible/roles/crc-cloud/tasks/patch_default_route.yaml @@ -0,0 +1,9 @@ +--- +# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L222 +- name: Patch default route + ansible.builtin.shell: > + oc patch + -p '{"spec": {"host": "default-route-openshift-image-registry.{{ eip }}.{{ alternative_domain }}"}}' + route default-route + -n openshift-image-registry + --type=merge diff --git a/ansible/roles/crc-cloud/tasks/patch_ingress_config b/ansible/roles/crc-cloud/tasks/patch_ingress_config new file mode 100644 index 00000000..c19f3dca --- /dev/null +++ b/ansible/roles/crc-cloud/tasks/patch_ingress_config @@ -0,0 +1,3 @@ +--- +# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L185 + diff --git a/ansible/roles/crc-cloud/tasks/patch_ingress_config.yaml b/ansible/roles/crc-cloud/tasks/patch_ingress_config.yaml new file mode 100644 index 00000000..f7b0f0e7 --- /dev/null +++ b/ansible/roles/crc-cloud/tasks/patch_ingress_config.yaml @@ -0,0 +1,26 @@ +--- +# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L185 +- name: Generate ingress patch + ansible.builtin.copy: + content: | + spec: + appsDomain: apps.{{ eip }}.{{ alternative_domain }} + componentRoutes: + - hostname: console-openshift-console.apps.{{ eip }}.{{ alternative_domain }} + name: console + namespace: openshift-console + servingCertKeyPairSecret: + name: nip-secret + - hostname: oauth-openshift.apps.{{ eip }}.{{ alternative_domain }} + name: oauth-openshift + namespace: openshift-authentication + servingCertKeyPairSecret: + name: nip-secret + dest: ingress-patch.yaml + +- name: Apply patch for ingress + ansible.builtin.command: > + oc patch ingresses.config.openshift.io + cluster + --type=merge + --patch-file=ingress-patch.yaml diff --git a/ansible/roles/crc-cloud/tasks/patch_pull_secret.yaml b/ansible/roles/crc-cloud/tasks/patch_pull_secret.yaml new file mode 100644 index 00000000..b0fa65b9 --- /dev/null +++ b/ansible/roles/crc-cloud/tasks/patch_pull_secret.yaml @@ -0,0 +1,9 @@ +--- +# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L178 +- name: Patch pull secret + ansible.builtin.command: > + oc patch secret pull-secret + -p ''{\"data\":{\".dockerconfigjson\":\"{{ pull_secret }}\"}}" + -n openshift-config + --type merge + no_log: true diff --git a/ansible/roles/crc-cloud/tasks/pubkey.yaml b/ansible/roles/crc-cloud/tasks/pubkey.yaml new file mode 100644 index 00000000..2306772f --- /dev/null +++ b/ansible/roles/crc-cloud/tasks/pubkey.yaml @@ -0,0 +1,17 @@ +--- +# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L93 +- name: Read pub key + ansible.builtin.shell: | + tr -d '\n\r' < ~core/id_rsa.pub + register: _pub_key + +- name: Wait for machineconfig + vars: + resource: machineconfig + ansible.builtin.include_tasks: wait_for_resource.yaml + +- name: Patch machineconfig 99-master-ssh + ansible.builtin.shell: > + oc patch machineconfig 99-master-ssh + -p '{"spec": {"config": {"passwd": {"users": [{"name": "core", "sshAuthorizedKeys": ["{{_pub_key.stdout}}"]}]}}}}' + --type merge diff --git a/ansible/roles/crc-cloud/tasks/replace_default_ca.yaml b/ansible/roles/crc-cloud/tasks/replace_default_ca.yaml new file mode 100644 index 00000000..cb0ef5ca --- /dev/null +++ b/ansible/roles/crc-cloud/tasks/replace_default_ca.yaml @@ -0,0 +1,52 @@ +--- +# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L41 +- name: Generate key + ansible.builtin.command: openssl genrsa -out {{ ca_name }}-ca.key 4096 + +- name: Generate cert + ansible.builtin.command: > + openssl req -x509 -new -nodes + -key {{ ca_name }}-ca.key + -sha256 + -days {{ ca_validity }} + -out {{ ca_name }}-ca.crt + -subj "{{ ca_subj }}" + +- name: Generate csr + ansible.builtin.command: > + openssl req -nodes + -newkey rsa:2048 + -keyout {{ ca_user }}.key + -subj "{{ ca_user_subj }}" + -out {{ ca_user }}.csr + +- name: Generate user cert + ansible.builtin.shell: > + openssl x509 + -extfile <(printf "extendedKeyUsage = clientAuth") + -req -in {{ ca_user }}.csr + -CA {{ ca_name }}-ca.crt + -CAkey {{ ca_name }}-ca.key + -CAcreateserial -out {{ ca_user }}.crt + -days {{ ca_validity }} + -sha256 + +- name: Create configmap + ansible.builtin.command: > + oc create configmap + client-ca-custom + -n openshift-config + --from-file=ca-bundle.crt={{ ca_name }}-ca.crt + +- name: Patch apiserver + ansible.builtin.command: > + oc patch apiserver cluster + --type=merge + -p '{"spec": {"clientCA": {"name": "client-ca-custom"}}}' + +- name: Create configmap + ansible.builtin.shell: > + oc create configmap admin-kubeconfig-client-ca + -n openshift-config + --from-file=ca-bundle.crt={{ ca_name }}-ca.crt + --dry-run -o yaml | oc replace -f - diff --git a/ansible/roles/crc-cloud/tasks/set_credentials.yaml b/ansible/roles/crc-cloud/tasks/set_credentials.yaml new file mode 100644 index 00000000..935146e5 --- /dev/null +++ b/ansible/roles/crc-cloud/tasks/set_credentials.yaml @@ -0,0 +1,29 @@ +--- +# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L229 +- name: Get htpasswd + ansible.builtin.include_tasks: get_htpasswd.yaml + loop: "{{ users }}" + loop_control: + loop_var: user + +- name: Create htpasswd.txt + ansible.builtin.shell: | + cat htpasswd.{{ user.name }} >> htpasswd.txt + loop: "{{ users }}" + loop_control: + loop_var: user + +- name: Cleanup htpasswd.txt file + ansible.builtin.shell: | + sed -i '/^\s*$/d' htpasswd.txt + +- name: Create secret with generic htpass-secret + ansible.builtin.shell: > + oc create secret generic htpass-secret + --from-file=htpasswd=htpasswd.txt + -n openshift-config + --dry-run=client + -o yaml > /tmp/htpass-secret.yaml + +- name: Replace htpass-secret + ansible.builtin.command: oc replace -f /tmp/htpass-secret.yaml diff --git a/ansible/roles/crc-cloud/tasks/wait_cluster_become_healthy.yaml b/ansible/roles/crc-cloud/tasks/wait_cluster_become_healthy.yaml new file mode 100644 index 00000000..26f77a79 --- /dev/null +++ b/ansible/roles/crc-cloud/tasks/wait_cluster_become_healthy.yaml @@ -0,0 +1,32 @@ +--- +# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L159 +- name: Wait for OpenShift cluster components to become healthy + block: + - name: Wait for OpenShift API to be available + ansible.builtin.command: "oc get co" + register: api_check + retries: 10 + delay: 2 + until: api_check.rc == 0 + ignore_errors: true + failed_when: api_check.rc != 0 + when: api_check.rc != 0 + + - name: Check if specified OpenShift components are healthy + ansible.builtin.shell: | + oc get co | grep -E '{{ wait_components }}' | awk '{ print $3 }' + register: component_status + retries: "{{ max_retries }}" + delay: "{{ retry_delay }}" + until: "'False' in component_status.stdout_lines" + failed_when: "'False' not in component_status.stdout_lines and retry_count >= max_retries" + ignore_errors: true + + - name: Output success message if components are healthy + ansible.builtin.debug: + msg: "OpenShift cluster components have become healthy in approximately {{ retry_count }} * {{ retry_delay }} seconds." + + - name: Fail if any components are still unhealthy + when: "'False' not in component_status.stdout_lines" + ansible.builtin.fail: + msg: "OpenShift cluster components failed to become healthy after {{ max_retries }} checks." diff --git a/ansible/roles/crc-cloud/tasks/wait_for_resource.yaml b/ansible/roles/crc-cloud/tasks/wait_for_resource.yaml new file mode 100644 index 00000000..86338915 --- /dev/null +++ b/ansible/roles/crc-cloud/tasks/wait_for_resource.yaml @@ -0,0 +1,17 @@ +--- +# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L79 +- name: Wait for OpenShift resource to become available + block: + - name: Check for resource availability + ansible.builtin.command: "oc get {{ resource }}" + register: result + ignore_errors: true + retries: "{{ max_retry }}" + delay: "{{ wait_interval }}" + until: result.rc == 0 + failed_when: result.rc != 0 and retry_count >= max_retry + + - name: Fail if resource {{ resource }} unavailable + ansible.builtin.fail: + msg: "Impossible to get resource {{ resource }}" + when: result.rc != 0