Anthos VMware Ansible module (GoogleCloudPlatform#920)

Co-authored-by: Andrew Gold <41129777+agold-rh@users.noreply.github.com>

tools/anthosvmware-ansible-module/.gitignore

@@ -0,0 +1,28 @@
+# logs
+*.log
+
+# Directories
+.config/
+.terraform/
+.vagrant/
+inventory/vmlab
+inventory/my-site
+
+# SSH Keys
+*.pem
+
+# Backup files
+*.bak
+
+# Ignore Mac .DS_Store files
+.DS_Store
+
+# Ignore vscode files
+.vscode/
+
+header
+headerj2
+footer
+search-and-replace.sh
+add-header.sh
+roles/TEST_CASES.md

tools/anthosvmware-ansible-module/OWNERS.md

@@ -0,0 +1,11 @@
+# Owners
+
+- Ravi Nalluri [ravi-nal]
+
+- Cat Chu [cathchu]
+
+- Alain Baxter [alain-baxter]
+
+- Marek Anderson [manderson-it]
+
+- Karim Elatov [elatovg]

tools/anthosvmware-ansible-module/ansible.cfg

@@ -0,0 +1,33 @@
+# Copyright 2022 Google LLC
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+[defaults]
+host_key_checking = False
+retry_files_enabled = False
+command_warnings = False
+deprecation_warnings = False
+system_warnings = False
+nocows = True
+
+inventory = ./inventory
+roles_path = ./roles
+
+callback_whitelist = profile_tasks,timer,counter_enabled
+
+# to get easily readable output from gkeadm and gkectl
+stdout_callback = yaml
+
+[ssh_connection]
+pipelining = True
+scp_if_ssh = True

tools/anthosvmware-ansible-module/inventory/mesh-a/mesh.yml

@@ -0,0 +1,38 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+all:
+  hosts:
+    member1:
+      ansible_host: 10.20.0.39
+      uc_name: "uc1"
+      asm_network_id: "{{ uc_name }}"
+    member2:
+      ansible_host: 10.20.0.39
+      uc_name: "uc2"
+      asm_network_id: "{{ uc_name }}"
+  vars:
+    yamldestpath: "/home/ubuntu"
+    ansible_user: "ubuntu"
+    sakeyfolder_base: "/home/ubuntu/sakeys"
+    mesh_project_id: "anthos-lab1"
+    mesh_unique_id: "mesh-lab1"
+    asm_version: "1.13"
+    asm_revision: "asm-1137-3"
+    asm_asmcli_version: "1.13.7-asm.3-config1"
+    asm_gcpsa: '{{ lookup("env", "GCPSA_ASMCFG_FILE") }}'
+    asm_gcpsa_path: "asm-meshconfig.json"
+    # Offline mode related
+    asm_offline_mode: false
+    asm_offline_bundle_file: "asm-1.13.7.tar.gz"

tools/anthosvmware-ansible-module/inventory/site-a/admin.yml

@@ -0,0 +1,27 @@
+# Copyright 2022 Google LLC
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+all:
+  hosts:
+  children:
+    adminws:
+      hosts:
+        10.20.0.3:
+    admincluster:
+      hosts:
+        10.20.0.39:
+    upload:
+      hosts:
+        10.20.0.39:
+# jump host to reach the vSphere API

tools/anthosvmware-ansible-module/inventory/site-a/group_vars/admincluster.yml

@@ -0,0 +1,116 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+# ansible_ssh_common_args is required if your connection is: workstation (Ansible) -> jumphost -> Admin Workstation
+# ansible_ssh_common_args: '-o ProxyCommand="ssh -o StrictHostKeyChecking=no -W %h:%p -q anthosjumper@10.20.0.3"'
+
+# SSH private key on jump host to connect to Admin Workstation
+# ansible_ssh_private_key_file="/home/anthosjumper/.ssh/user_id_ed25519"
+
+ansible_user: "ubuntu"
+yamldestpath: "/home/ubuntu"
+
+# Admin Cluster (AC) role specific below
+ac_name: "ac1"
+component_access_gcpsa: '{{ lookup("env", "GCPSA_COMACC_FILE") }}'
+component_access_gcpsa_path: "component-access.json"
+
+# vSphere/vCenter
+ac_vc_fqdn: "{{ glb_vc_fqdn }}"
+ac_vc_credfile: "credential.yaml"
+ac_vc_credentry: "{{ glb_vc_credentry }}"
+ac_vc_username: "{{ glb_vc_username }}" # set with extra vars or lookup from shell variable, see README
+ac_vc_password: "{{ glb_vc_password }}" # set with extra vars or lookup from shell variable, see README
+ac_vc_datacenter: "{{ glb_vc_datacenter }}"
+ac_vc_datastore: "{{ glb_vc_datastore }}"
+ac_vc_cluster: "{{ glb_vc_cluster }}"
+ac_vc_folder: "{{ glb_vc_folder }}" # optional
+ac_vc_respool: "{{ glb_vc_respool }}" # if default resourcePool use <ac_vc_cluster>/Resources
+ac_vc_cacertpath: "{{ glb_vc_cacertpath }}"
+# for vSAN: ac_vc_datadisk must be created inside a folder when using vSAN. Folder must be created manually
+ac_vc_datadisk: "{{ ac_name }}/{{ ac_name }}-admin-cluster.vmdk"
+
+# Networking
+ac_nw_ipallocmode: "static" # dhcp or static
+ac_nw_ipfile: "{{ ac_name }}-ip-block.yaml"
+ac_nw_gw: "10.20.0.1" # gateway
+ac_nw_nm: "255.255.255.0" # netmask 255.255.255.0 or similar
+ac_nw_ntp: "{{ glb_ntp }}" # list from group_vars/all
+ac_nw_dns: "{{ glb_dns }}" # list from group_vars/all
+ac_nw_searchdomains: "{{ glb_dns_searchdomains }}" # list from group_vars/all
+ac_nw_servicecidr: "10.96.232.0/24" # default
+ac_nw_podcidr: "192.168.0.0/16" # default
+ac_nw_vc_net: "VM Network"
+
+# values for the file content of network.ipMode.ipBlockFilePath
+ac_ipblock_netmask: "255.255.255.0"
+ac_ipblock_gateway: "10.20.0.1"
+ac_ipblock_ips: ["10.20.0.40", "10.20.0.41", "10.20.0.42", "10.20.0.43", "10.20.0.44", "10.20.0.45"]
+
+# Load balancing
+ac_lb_kind: MetalLB
+ac_lb_vips_cp: "10.20.0.46"
+ac_lb_vips_addons: "10.20.0.47"
+
+# masternode sizing
+ac_masternode_cpus: 4
+ac_masternode_mem: 8192
+ac_antiaffinitygroups: false
+
+# GCP project IDs
+ac_stackdriver_projectid: "gcp_project"
+ac_stackdriver_clusterlocation: "us-central1"
+ac_stackdriver_enablevpc: false
+logging_monitoring_gcpsa: '{{ lookup("env", "GCPSA_LOGMON_FILE") }}'
+logging_monitoring_gcpsa_path: "logging-monitoring.json"
+ac_stackdriver_disablevsphereresourcemetrics: false
+ac_gkeconnect_projectid: "gcp_project"
+connect_register_gcpsa: '{{ lookup("env", "GCPSA_CONREG_FILE") }}'
+connect_register_gcpsa_path: "connect-register.json"
+ac_cloudauditlogging_projectid: "gcp_project"
+ac_cloudauditlogging_clusterlocation: "us-central1"
+audit_logging_gcpsa: '{{ lookup("env", "GCPSA_AUDLOG_FILE") }}'
+audit_logging_gcpsa_path: "audit-logging.json"
+
+ac_autorepair: true
+
+# Kubernetes Secrets at-rest encryption
+ac_secretsencryption_mode: "GeneratedKey" # optional
+ac_secretsencryption_keyversion: 1 # optional
+
+ac_verbosity: 5
+ac_skipvalidations: ""
+# example below to specify more than one skip validation option
+# ac_skipvalidations: "--skip-validation-load-balancer --skip-validation-node-ips"
+
+# Optional - when using private artifact repository
+private_download_base: "{{ glb_private_download_base }}"
+private_download_auth_header: "{{ glb_private_download_auth_header }}"
+
+# Optional: AIS 
+# Uncomment out this section to specify AIS configuration
+# An uncommented empty block will result in errors 
+# ais_install: true
+# ais_authentication:
+# - name: oidc-ad
+#   oidc:
+#     clientID: ""
+#     clientSecret: ""
+#     cloudConsoleRedirectURI: ""
+#     extraParams: prompt=consent,access_type=offline
+#     issuerURI: ""
+#     kubectlRedirectURI: ""
+#     scopes: ""
+#     userClaim: ""

tools/anthosvmware-ansible-module/inventory/site-a/group_vars/adminws.yml

@@ -0,0 +1,62 @@
+# Copyright 2022 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+# private ssh key on the jump host to use for the admin workstation creation
+sshprivkeypath: "/home/anthosjumper/.ssh/user_id_ed25519"
+
+# folder where the templated YAML files result in
+yamldestpath: "/home/anthosjumper/anthos" # template out YAML files relative to playbooks/ subfolder
+
+# path to gkeadm binary on the jump host
+gkeadm: "{{ yamldestpath }}/gkeadm"
+
+# SSH user used by Ansible to ssh connect to the jump host
+ansible_user: "anthosjumper"
+
+# admin workstation specific below until end of file
+adminws_name: "user-admws"
+component_access_gcpsa: '{{ lookup("env", "GCPSA_COMACC_FILE") }}'
+component_access_gcpsa_path: "component-access.json"
+sakeyfolder_base: "/home/anthosjumper/sakeys" # different home directory on jumphost than adminWS
+adminws_create_gsa: false
+
+# vSphere/vCenter
+adminws_vc_fqdn: "{{ glb_vc_fqdn }}"
+adminws_vc_validate_cert: true
+adminws_vc_credfile: "credential.yaml"
+adminws_vc_credentry: "{{ glb_vc_credentry }}"
+adminws_vc_datacenter: "{{ glb_vc_datacenter }}"
+adminws_vc_datastore: "{{ glb_vc_datastore }}"
+adminws_vc_cluster: "{{ glb_vc_cluster }}"
+adminws_vc_network: "{{ glb_vc_network }}" # VM Network
+adminws_vc_folder: "{{ glb_vc_folder }}" # optional
+adminws_vc_respool: "{{ glb_vc_respool }}" # if default resourcePool use <adminws_vc_cluster>/Resources
+adminws_vc_cacertpath: "{{ yamldestpath }}/vcenter.pem"
+adminws_datadiskname: "{{ adminws_name }}-data-disk/{{ adminws_name }}-data-disk.vmdk"
+
+# Networking
+adminws_nw_ipallocmode: "static" # dhcp or static
+adminws_nw_ip: "10.20.0.39" # IP address of VM
+adminws_nw_gw: "10.20.0.1" # gateway
+adminws_nw_nm: "255.255.255.0" # netmask 255.255.255.0 or similar
+adminws_nw_dns: "{{ glb_dns }}" # list from group_vars/all
+adminws_ntp: "{{ glb_ntp[0] }}" # only one can be set default ntp.ubuntu.com
+
+adminws_skipvalidations: ""
+# adminws_skipvalidations: "--skip-validation"
+
+# Optional - when using private artifact repository
+private_download_base: "{{ glb_private_download_base }}"
+private_download_auth_header: "{{ glb_private_download_auth_header }}"

tools/anthosvmware-ansible-module/inventory/site-a/group_vars/all.yml

@@ -0,0 +1,56 @@
+# Copyright 2022 Google LLC
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# 
+#     http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+# vSphere parameters - shared by the admin and user clusters
+glb_vc_fqdn: '{{ lookup("env", "VMWARE_HOST") }}'
+glb_vc_username: '{{ lookup("env", "VMWARE_USER") }}'
+glb_vc_password: '{{ lookup("env", "VMWARE_PASSWORD") }}'
+glb_vc_credfile: "credential.yaml"
+glb_vc_credentry: "vCenter"
+glb_vc_datacenter: "dc.anthoslab.gke"
+glb_vc_datastore: "vm-data"
+glb_vc_cluster: "cluster.anthoslab.gke"
+glb_vc_network: "VM Network"
+glb_vc_folder: "user" # optional
+glb_vc_respool: "cluster.anthoslab.gke/Resources" # if default resourcePool use <adminws_vc_cluster>/Resources
+glb_vc_cacertpath: "/home/ubuntu/vcenter.pem"
+
+# networking
+glb_dns: ["10.20.0.5"] # list
+glb_dns_searchdomains: [""] # list
+glb_proxyurl: "" # optional used by admin workstation, admin and user clusters
+glb_noproxy: ""
+glb_ntp: ["ntp.ubuntu.com"] # list
+
+# GCP
+sakeyfolder_base: "/home/ubuntu/sakeys"
+glb_anthos_version: "1.11.1-gke.53" # The Anthos version that will be used across the admin workstation, admin cluster, and user cluster installs
+glb_major_version: "{{ glb_anthos_version | regex_search('[\\d]\\.[\\d]+') }}"
+
+# Optional - when using private container registry
+glb_privatereg_url: '{{ lookup("env", "PRIV_REG_ADDRESS") }}' # fqdn and repo_name (ie, artifactory.domain.com/repo_name)
+glb_privatereg_cacertfile: '{{ lookup("env", "PRIV_REG_CA_FILE") }}' # The CA certificate for this registry, will be copied to  glb_privatereg_cacertpath
+glb_privatereg_cacertpath: "ca.crt" # The absolute or relative path where CA certificate stored for this registry
+glb_privatereg_cacerturl: "" # if you want to download the cert for url, specify here
+glb_privatereg_username: '{{ lookup("env", "PRIV_REG_USERNAME") }}'
+glb_privatereg_password: '{{ lookup("env", "PRIV_REG_PASSWORD") }}' # API token or password
+glb_privatereg_email: '{{ lookup("env", "PRIV_REG_EMAIL") }}'
+
+# Optional - when using private artifact repository
+glb_private_download_base: '{{ lookup("env", "ARTIFACT_HOST") }}'
+glb_private_download_username: '{{ lookup("env", "ARTIFACT_USERNAME") }}'
+glb_private_download_enc_pass: '{{ lookup("env", "ARTIFACT_ENC_PASS") }}'
+glb_private_download_api_token: '{{ lookup("env", "ARTIFACT_API_TOKEN") }}'
+glb_private_download_auth_header: "{{ 'Bearer ' + glb_private_download_api_token if glb_private_download_api_token|length > 2 else 'Basic ' + ([glb_private_download_username, glb_private_download_enc_pass] | join(':') | b64encode) }}"