From 110ae6da8d80b63a068f4537383e775d958cf9a9 Mon Sep 17 00:00:00 2001 From: "Suren A. Chilingaryan" Date: Sat, 14 Apr 2018 02:09:54 +0200 Subject: Provide support for global OpenShift resources (ClusterRoles, etc.) --- opts.sh | 4 ++ playbooks/openshift-setup-projects.yml | 2 + playbooks/openshift-setup-resources.yml | 7 +++ playbooks/openshift-setup-users.yml | 1 + roles/ands_kaas/00-local-volumes.yml.j2 | 67 ---------------------- roles/ands_kaas/tasks/main.yml | 2 +- roles/ands_kaas/tasks/oc.yml | 2 +- roles/ands_kaas/tasks/template.yml | 2 +- roles/ands_openshift/defaults/main.yml | 2 +- roles/ands_openshift/tasks/projects.yml | 4 ++ roles/ands_openshift/tasks/projects_resources.yml | 20 +++++++ roles/ands_openshift/tasks/resources.yml | 9 +++ roles/ands_openshift/tasks/users_resources.yml | 21 ------- setup.sh | 12 +++- setup/configs/openshift.yml | 2 + setup/projects/openshift/templates/maintain.yml.j2 | 33 +++++++++++ setup/projects/openshift/vars/script.yml | 2 + 17 files changed, 99 insertions(+), 93 deletions(-) create mode 100644 playbooks/openshift-setup-resources.yml delete mode 100644 roles/ands_kaas/00-local-volumes.yml.j2 create mode 100644 roles/ands_openshift/tasks/projects.yml create mode 100644 roles/ands_openshift/tasks/projects_resources.yml create mode 100644 roles/ands_openshift/tasks/resources.yml create mode 100644 setup/projects/openshift/templates/maintain.yml.j2 create mode 100644 setup/projects/openshift/vars/script.yml diff --git a/opts.sh b/opts.sh index c4d2196..25d232a 100644 --- a/opts.sh +++ b/opts.sh @@ -50,11 +50,15 @@ Actions: project - reconfigures a single OpenShift namespace project_groups - reconfigures fs groups for a single OpenShift namespace (required for Ganesha) apps [app] - only re-generates templates for the specific namespaces (or even only specific application) + templates - Regenerate global templates (roles, etc.) + templates [t] - Regenerate specified templates, i.e. 'setup.sh templates adei 01-webdav-secret.yml' vpn - reconfigure VPN tunnels certs - re-generate OpenShift x509 certificates check - check current setup and report if any maintenace should be peformed setup - executes specific configuration task from ands-openshift Tasks: users, ssh, storage, heketi + ADEI configuration + adei_template - Regenerate ADEI template Host system managment software - Install additionaly configured software diff --git a/playbooks/openshift-setup-projects.yml b/playbooks/openshift-setup-projects.yml index aac5eb0..350675e 100644 --- a/playbooks/openshift-setup-projects.yml +++ b/playbooks/openshift-setup-projects.yml @@ -3,6 +3,8 @@ - name: Configure users & user projects hosts: masters roles: + - { role: ands_openshift, subrole: projects } + - { role: ands_openshift, subrole: resources } - { role: ands_openshift, subrole: users } - { role: ands_openshift, subrole: security } - { role: ands_openshift, subrole: storage } diff --git a/playbooks/openshift-setup-resources.yml b/playbooks/openshift-setup-resources.yml new file mode 100644 index 0000000..b8d808b --- /dev/null +++ b/playbooks/openshift-setup-resources.yml @@ -0,0 +1,7 @@ +- import_playbook: maintain.yml + +- name: Configure OpenShift resources + hosts: masters + roles: + - { role: ands_openshift, subrole: resources } + diff --git a/playbooks/openshift-setup-users.yml b/playbooks/openshift-setup-users.yml index 03057d9..c819a9a 100644 --- a/playbooks/openshift-setup-users.yml +++ b/playbooks/openshift-setup-users.yml @@ -3,5 +3,6 @@ - name: Configure users hosts: masters roles: + - { role: ands_openshift, subrole: projects } - { role: ands_openshift, subrole: users } diff --git a/roles/ands_kaas/00-local-volumes.yml.j2 b/roles/ands_kaas/00-local-volumes.yml.j2 deleted file mode 100644 index 8d1a1c8..0000000 --- a/roles/ands_kaas/00-local-volumes.yml.j2 +++ /dev/null @@ -1,67 +0,0 @@ ---- -apiVersion: v1 -kind: Template -metadata: - name: {{ kaas_project }}-local-volumes - annotations: - descriptions: "{{ kaas_project }} local volumes" -objects: -{% for name, vol in kaas_project_local_volumes.iteritems() %} -{% set voltypes = kaas_storage_domains | json_query("[*].volumes." + vol.volume + ".type") %} -{% set voltype = voltypes[0] | default('host') %} -{% set mntpaths = kaas_storage_domains | json_query("[*].volumes." + vol.volume + ".mount") %} -{% set mntpath = mntpaths[0] | default('') %} -{% set oc_name = vol.name | default(name) | regex_replace('_','-') %} -{% set cfgpath = vol.path | default("") %} -{% set path = cfgpath if cfgpath[:1] == "/" else "/" + kaas_project + "/" + cfgpath %} -{% if oc_name | regex_search("^" + kaas_project) %} -{% set pvprefix = oc_name %} -{% else %} -{% set pvprefix = (kaas_project + "-" + oc_name) | regex_replace('_','-') %} -{% endif %} -{% set i = 0 %} -{% for id in vol.nodes | default(hostvars[inventory_hostname]['ands_volume_' + vol.volume + '_server_ids']) %} -{% set srvid = (id | string) %} -{% set server_name = hostvars[inventory_hostname]['ands_host_' + srvid + '_public_hostname'] %} -{% set openshift_name = hostvars[inventory_hostname]['ands_host_' + srvid + '_openshift_fqdn'] %} -{% set pvname = pvprefix + '-' + server_name %} -{% set pvcname = oc_name + '-' + (i|string) %} - - apiVersion: v1 - kind: PersistentVolume - metadata: - name: {{ pvname }} - annotations: - "volume.alpha.kubernetes.io/node-affinity": '{ - "requiredDuringSchedulingIgnoredDuringExecution": { - "nodeSelectorTerms": [ - { "matchExpressions": [ { "key": "kubernetes.io/hostname", "operator": "In", "values": ["{{ openshift_name }}"] } ]} - ] - } - }' - spec: - storageClassName: kaas-local-storage - persistentVolumeReclaimPolicy: Retain - local: - path: "{{ mntpath }}{{ path }}" - readOnly: {{ not (vol.write | default(false)) }} - accessModes: - - ReadWriteOnce - capacity: - storage: {{ vol.capacity | default(kaas_default_volume_capacity) }} - claimRef: - name: {{ pvcname }} - namespace: {{ kaas_project }} - - apiVersion: v1 - kind: PersistentVolumeClaim - metadata: - name: {{ pvcname }} - spec: - volumeName: {{ pvname }} - accessModes: - - ReadWriteOnce - resources: - requests: - storage: {{ vol.capacity | default(kaas_default_volume_capacity) }} -{% set i = i + 1 %} -{% endfor %} -{% endfor %} diff --git a/roles/ands_kaas/tasks/main.yml b/roles/ands_kaas/tasks/main.yml index f1cff02..fed0525 100644 --- a/roles/ands_kaas/tasks/main.yml +++ b/roles/ands_kaas/tasks/main.yml @@ -7,6 +7,6 @@ loop_control: loop_var: kaas_project vars: - do_subrole: "{{ subrole | default('project') }}" + do_subrole: "{{ kaas_subrole | default(subrole | default('project')) }}" kaas_template_path: "{{ kaas_template_root }}/{{ kaas_project }}" kaas_project_path: "{{playbook_dir}}/projects/{{ kaas_project }}" diff --git a/roles/ands_kaas/tasks/oc.yml b/roles/ands_kaas/tasks/oc.yml index d3504f8..9b17c3b 100644 --- a/roles/ands_kaas/tasks/oc.yml +++ b/roles/ands_kaas/tasks/oc.yml @@ -6,5 +6,5 @@ vars: resource: "{{ ocitem.resource | default('') }}" command: "{{ ocitem.oc }}" - project: "{{ kaas_project }}" + project: "{{ kaas_namespace | default(kaas_project) }}" recreate: "{{ ocitem.recreate | default(false) }}" diff --git a/roles/ands_kaas/tasks/template.yml b/roles/ands_kaas/tasks/template.yml index 841c80e..89c30e0 100644 --- a/roles/ands_kaas/tasks/template.yml +++ b/roles/ands_kaas/tasks/template.yml @@ -19,7 +19,7 @@ dest_name: "{{ (appname is defined) | ternary ( '90-' + (appname | default('')) + '.yml', default_name ) }}" template: "{{ dest_name }}" template_path: "{{ kaas_template_path }}" - project: "{{ kaas_project }}" + project: "{{ kaas_namespace | default(kaas_project) }}" recreate: "{{ result | changed | ternary (delete | default(true) | ternary(true, false), false) }}" replace: "{{ result | changed | ternary (delete | default(true) | ternary(false, true), false) }}" diff --git a/roles/ands_openshift/defaults/main.yml b/roles/ands_openshift/defaults/main.yml index d279345..feec093 100644 --- a/roles/ands_openshift/defaults/main.yml +++ b/roles/ands_openshift/defaults/main.yml @@ -1,4 +1,4 @@ -openshift_common_subroles: "{{ [ 'users', 'security', 'storage' ] }}" +openshift_common_subroles: "{{ [ 'projects', 'resources', 'users', 'security', 'storage' ] }}" openshift_heketi_subroles: "{{ [ 'ssh', 'heketi' ] }}" openshift_all_subroles: "{{ ands_configure_heketi | default(False) | ternary(openshift_common_subroles + openshift_heketi_subroles, openshift_common_subroles) }}" diff --git a/roles/ands_openshift/tasks/projects.yml b/roles/ands_openshift/tasks/projects.yml new file mode 100644 index 0000000..4f13136 --- /dev/null +++ b/roles/ands_openshift/tasks/projects.yml @@ -0,0 +1,4 @@ +--- +- include_tasks: projects_resources.yml + run_once: true + delegate_to: "{{ groups.masters[0] }}" diff --git a/roles/ands_openshift/tasks/projects_resources.yml b/roles/ands_openshift/tasks/projects_resources.yml new file mode 100644 index 0000000..2afe9e1 --- /dev/null +++ b/roles/ands_openshift/tasks/projects_resources.yml @@ -0,0 +1,20 @@ +- name: Get project list + command: "oc get projects -o json" + changed_when: false + register: results + +- name: Find missing projects + set_fact: new_projects="{{ ands_openshift_projects.keys() | difference (results.stdout | from_json | json_query('items[*].metadata.name')) }}" + when: (results | succeeded) + +- name: Create missing projects + command: "oc adm new-project --description '{{ ands_openshift_projects[item] }}' {{ item }}" + with_items: "{{ new_projects | default([]) }}" + +- name: Allow projects to pull images from KaaS imagestreams + command: "oc policy add-role-to-group system:image-puller system:serviceaccounts:{{ prj_item }} --namespace=kaas" + with_items: "{{ ands_openshift_projects.keys() }}" + when: + prj_item != "kaas" + loop_control: + loop_var: prj_item diff --git a/roles/ands_openshift/tasks/resources.yml b/roles/ands_openshift/tasks/resources.yml new file mode 100644 index 0000000..b691372 --- /dev/null +++ b/roles/ands_openshift/tasks/resources.yml @@ -0,0 +1,9 @@ +- name: Run configuration script and populate resources + include_role: name="ands_kaas" + vars: + kaas_openshift_volumes: "{{ ands_openshift_volumes }}" + kaas_projects: "{{ ands_openshift_projects.keys() }}" + kaas_single_project: "openshift" + kaas_namespace: "kaas" + kaas_subrole: "script" + delete: false diff --git a/roles/ands_openshift/tasks/users_resources.yml b/roles/ands_openshift/tasks/users_resources.yml index 722e1eb..2a73cd0 100644 --- a/roles/ands_openshift/tasks/users_resources.yml +++ b/roles/ands_openshift/tasks/users_resources.yml @@ -6,27 +6,6 @@ vars: key_len: "{{ item.key.split('/') | length }}" -- name: Get project list - command: "oc get projects -o json" - changed_when: false - register: results - -- name: Find missing projects - set_fact: new_projects="{{ ands_openshift_projects.keys() | difference (results.stdout | from_json | json_query('items[*].metadata.name')) }}" - when: (results | succeeded) - -- name: Create missing projects - command: "oc adm new-project --description '{{ ands_openshift_projects[item] }}' {{ item }}" - with_items: "{{ new_projects | default([]) }}" - -- name: Allow projects to pull images from KaaS imagestreams - command: "oc policy add-role-to-group system:image-puller system:serviceaccounts:{{ prj_item }} --namespace=kaas" - with_items: "{{ ands_openshift_projects.keys() }}" - when: - prj_item != "kaas" - loop_control: - loop_var: prj_item - - name: Configure per project roles command: "oc adm policy add-role-to-user -n {{ item.key.split('/')[0] }} {{ item.key.split('/')[1] }} {{ item.value.replace(' ','').split(',') | join(' ') }}" with_dict: "{{ ands_openshift_roles }}" diff --git a/setup.sh b/setup.sh index add68a4..8d67d6d 100755 --- a/setup.sh +++ b/setup.sh @@ -73,7 +73,17 @@ case "$action" in fi apply playbooks/openshift-setup-apps.yml --extra-vars "$vars" "$@" || exit 1 ;; - templates|project_templates) + templates) + if [ -n "$1" ]; then + ./setup.sh -i $inventory project_templates "$@" || exit 1 + else + ./setup.sh -i $inventory global_templates "$@" || exit 1 + fi + ;; + global_templates) + apply playbooks/openshift-setup-resources.yml "$@" || exit 1 + ;; + project_templates) [ -n "$1" ] || { usage 'project name should be specified...' ; exit 1; } vars="ands_configure_project=$1" diff --git a/setup/configs/openshift.yml b/setup/configs/openshift.yml index 10146e8..a4024ae 100644 --- a/setup/configs/openshift.yml +++ b/setup/configs/openshift.yml @@ -20,6 +20,8 @@ ands_openshift_roles: kaas/admin: csa, kopmann katrin/admin: katrin adei/admin: csa + adei/view: pdv, kopmann + adei/kaas-maintain: pdv, kopmann bora/admin: ntj web/admin: kopmann mon/admin: csa diff --git a/setup/projects/openshift/templates/maintain.yml.j2 b/setup/projects/openshift/templates/maintain.yml.j2 new file mode 100644 index 0000000..41017a5 --- /dev/null +++ b/setup/projects/openshift/templates/maintain.yml.j2 @@ -0,0 +1,33 @@ +apiVersion: v1 +kind: ClusterRole +metadata: + annotations: + openshift.io/description: A user that can create and edit most objects in a project, + but can not update the project's membership. + openshift.io/reconcile-protect: "false" + creationTimestamp: null + name: kaas-maintain +rules: +- resources: + - pods/exec + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch +- resources: + - replicationcontrollers/scale + - deploymentconfigs/scale + verbs: + - create + - delete + - deletecollection + - get + - list + - patch + - update + - watch diff --git a/setup/projects/openshift/vars/script.yml b/setup/projects/openshift/vars/script.yml new file mode 100644 index 0000000..0d9ccef --- /dev/null +++ b/setup/projects/openshift/vars/script.yml @@ -0,0 +1,2 @@ +oc: + - templates: "maintain*" -- cgit v1.2.1