Merge pull request #15 from pyToshka/master

Sync

.gitignore

@@ -1,3 +1,4 @@
 .vagrant/
 *.retry
 .idea/
+examples/

ansible/clone.yml

@@ -7,9 +7,9 @@
         name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm"
     - name: Pre-requisite packages
       package:
-        name: "{{ item }}"
+        name: "{{ package_item }}"
         state: latest
-      with_items:
+      loop:
         - git
         - bash-completion
         - net-tools
@@ -18,6 +18,9 @@
         - ansible
         - htop
         - podman
+      loop_control:
+        loop_var: package_item
+
     - name: Clone OpenShift Ansible git repo
       git:
         repo: https://github.com/openshift/openshift-ansible

ansible/inventory

@@ -59,7 +59,7 @@ openshift_persistentlocalstorage_provisionner_image=quay.io/external_storage/loc
 
 # If use only cri-o runtime this must be commented
 # openshift_node_groups=[{'name': 'node-config-all-in-one', 'labels': ['node-role.kubernetes.io/master=true', 'node-role.kubernetes.io/infra=true', 'node-role.kubernetes.io/compute=true']}]
-openshift_node_groups=[{'name': 'node-config-all-in-one-crio', 'labels': ['node-role.kubernetes.io/master=true', 'node-role.kubernetes.io/infra=true', 'node-role.kubernetes.io/compute=true', 'zone=dev'], 'edits': [{'key': 'kubeletArguments.container-runtime', 'value': ['remote']}, {'key': 'kubeletArguments.container-runtime-endpoint', 'value': ['/var/run/crio/crio.sock']}, {'key': 'kubeletArguments.image-service-endpoint', 'value': ['/var/run/crio/crio.sock']}, {'key': 'kubeletArguments.runtime-request-timeout', 'value': ['10m']}]}]
+openshift_node_groups=[{'name': 'node-config-all-in-one-crio', 'labels': ['node-role.kubernetes.io/master=true', 'node-role.kubernetes.io/infra=true', 'node-role.kubernetes.io/compute=true', 'zone=dev'], 'edits': [{'key': 'kubeletArguments.container-runtime', 'value': ['remote']}, {'key': 'kubeletArguments.container-runtime-endpoint', 'value': ['unix:///var/run/crio/crio.sock']}, {'key': 'kubeletArguments.image-service-endpoint', 'value': ['unix:///var/run/crio/crio.sock']}, {'key': 'kubeletArguments.runtime-request-timeout', 'value': ['10m']}]}]
 
 # host group for masters
 [masters]

ansible/roles/openshift/tasks/main.yml

@@ -1,8 +1,12 @@
 ---
-
 - block:
-  - name: Post installation bespoking
-    include: postinstall.yml
+  - name: Post installation
+    include: "{{ include_item }}"
+    loop:
+      - postinstall.yml
+      - servicemesh.yml
+    loop_control:
+      loop_var: include_item
 
   environment:
     PATH: "{{ ansible_env.PATH }}:/usr/local/bin/"

ansible/roles/openshift/tasks/postinstall.yml

@@ -2,11 +2,12 @@
 - name: EPEL
   yum:
     name: "https://dl.fedoraproject.org/pub/epel/epel-release-latest-{{ ansible_distribution_major_version }}.noarch.rpm"
+
 - name: Pre-requisite packages
   package:
-    name: "{{ item }}"
+    name: "{{ package_item }}"
     state: latest
-  with_items:
+  loop:
     - bash-completion
     - libnfsidmap
     - net-tools
@@ -16,6 +17,8 @@
     - tcpdump
     - wget
     - python-passlib
+  loop_control:
+    loop_var: package_item
 
 - name: Add developer user to htpasswd
   htpasswd:
@@ -28,24 +31,28 @@
 
 - name: Start NFS server services
   service:
-    name: "{{ item }}"
+    name: "{{ service_item }}"
     state: started
     enabled: yes
-  with_items:
+  loop:
     - rpcbind
     - nfs-server
     - rpc-statd
     - nfs-idmapd
+  loop_control:
+    loop_var: service_item
 
 - name: Make root directory for NFS share
   file:
-    path: "{{ item }}"
+    path: "{{ file_item }}"
     state: directory
     owner: root
     group: root
     mode: 0755
-  with_items:
+  loop:
     - "{{ nfs_root | default('/nfsshare') }}"
+  loop_control:
+    loop_var: file_item
 
 - name: Make directories for each persistent volume
   file:
@@ -85,3 +92,20 @@
     name: '*' 
     state: latest 
     update_cache: yes
+
+- name: Add ASB repository
+  yum_repository:
+    name: asb
+    description: asb repository
+    baseurl: https://copr-be.cloud.fedoraproject.org/results/@ansible-service-broker/ansible-service-broker-latest/epel-7-$basearch/
+    gpgcheck: no
+
+- name: Install CLI tools for work with brokers
+  package:
+    name: "{{ package_cli_item }}"
+    state: latest
+  loop:
+    - apb
+    - svcat
+  loop_control:
+    loop_var: package_cli_item

ansible/roles/openshift/tasks/servicemesh.yml

@@ -0,0 +1,66 @@
+---
+- name: Backup master config file
+  copy:
+    src: /etc/origin/master/master-config.yaml
+    dest: /etc/origin/master/master-config.yaml.prepatch
+    remote_src: yes
+
+- name: Patch and enable new config master-config
+  shell: oc ex config patch /etc/origin/master/master-config.yaml.prepatch -p "$(cat /vagrant/ansible/roles/openshift/templates/{{ item }})" > /etc/origin/master/master-config.yaml
+  loop:
+    - master-config.patch
+
+- name: Reboot services
+  command: /usr/local/bin/master-restart "{{ service_item }}"
+  loop:
+     - api
+     - controllers
+  loop_control:
+    loop_var: service_item
+
+- name: Create config file for elasticsearch
+  file: 
+    dest: /etc/sysctl.d/99-elasticsearch.conf
+    state: touch
+
+- name: Add configuration
+  lineinfile:
+    dest: /etc/sysctl.d/99-elasticsearch.conf
+    line: vm.max_map_count = 262144
+
+- name: Set new value for max count
+  command: sysctl vm.max_map_count=262144
+
+- name: Login with cluster-admin
+  shell: oc login -u system:admin
+  retries: 10
+  delay: 5
+  register: task_result
+  until: task_result.rc == 0
+
+- name: Give cluster-admin role to user admin
+  shell: oc adm policy add-cluster-role-to-user cluster-admin admin
+
+- name: Login with cluster-admin
+  shell: oc login -u admin -p admin
+  retries: 10
+  delay: 5
+  register: task_result
+  until: task_result.rc == 0
+
+- name: Create new project
+  shell: oc new-project istio-operator
+
+- name: Create istio operator
+  shell: oc new-app -f "{{ operator_item }}" --param=OPENSHIFT_ISTIO_MASTER_PUBLIC_URL={{ master_route }}.{{ machine_ip }}.nip.io:8443
+  loop: 
+    - /vagrant/ansible/roles/openshift/templates/istio_operator.yaml
+  loop_control:
+    loop_var: operator_item
+
+- name: Deploy the Istio service mesh
+  shell: oc create -f "{{ istio_item }}"
+  loop:
+    - /vagrant/ansible/roles/openshift/templates/cr_full.yaml
+  loop_control:
+    loop_var: istio_item

ansible/roles/openshift/templates/cr_full.yaml

@@ -0,0 +1,29 @@
+apiVersion: "istio.openshift.com/v1alpha1"
+kind: "Installation"
+metadata:
+  name: "istio-installation"
+  namespace: istio-operator
+spec:
+  deployment_type: origin
+  istio:
+    authentication: true
+    community: false
+    prefix: maistra/
+    version: 0.6.0
+  jaeger:
+    prefix: jaegertracing/
+    version: 1.8
+    elasticsearch_memory: 1Gi
+  kiali:
+    username: admin
+    password: admin
+    prefix: kiali/
+    version: v0.11.0
+  launcher:
+    openshift:
+      user: admin
+      password: admin
+    catalog:
+      filter: booster.mission.metadata.istio
+      branch: v71
+      repo: https://github.com/fabric8-launcher/launcher-booster-catalog.git

ansible/roles/openshift/templates/istio_operator.yaml

@@ -0,0 +1,138 @@
+apiVersion: v1
+kind: Template
+metadata:
+  name: istio-operator-job
+parameters:
+- displayName: Master Public URL
+  description: The public URL for master
+  name: OPENSHIFT_ISTIO_MASTER_PUBLIC_URL
+  value: https://127.0.0.1:8443
+- displayName: OpenShift Release
+  description: The version of the OpenShift release.
+  name: OPENSHIFT_RELEASE
+  value: v3.11.0
+  required: true
+- displayName: Istio Operator Namespace
+  description: The namespace for the Istio operator
+  name: OPENSHIFT_ISTIO_OPERATOR_NAMESPACE
+  value: istio-operator
+  required: true
+- displayName: Default Prefix
+  description: The default image prefix for istio deployments
+  name: OPENSHIFT_ISTIO_PREFIX
+  value: maistra/
+- displayName: Default Version
+  description: The default image version for istio deployments
+  name: OPENSHIFT_ISTIO_VERSION
+  value: 0.6.0
+- displayName: Default Deployment Type
+  description: The default deployment type for istio deployments
+  name: OPENSHIFT_DEPLOYMENT_TYPE
+  value: origin
+objects:
+- kind: CustomResourceDefinition
+  apiVersion: apiextensions.k8s.io/v1beta1
+  metadata:
+    name: installations.istio.openshift.com
+  spec:
+    group: istio.openshift.com
+    names:
+      kind: Installation
+      plural: installations
+      singular: installation
+    scope: Namespaced
+    version: v1alpha1
+- kind: Role
+  apiVersion: rbac.authorization.k8s.io/v1
+  metadata:
+    name: istio-operator
+  rules:
+  - apiGroups:
+    - istio.openshift.com
+    resources:
+    - "*"
+    verbs:
+    - "*"
+  - apiGroups:
+    - ""
+    resources:
+    - pods
+    - services
+    - endpoints
+    - persistentvolumeclaims
+    - events
+    - configmaps
+    - secrets
+    - securitycontextconstraints
+    verbs:
+    - "*"
+  - apiGroups:
+    - apps
+    resources:
+    - deployments
+    - daemonsets
+    - replicasets
+    - statefulsets
+    verbs:
+    - "*"
+- kind: RoleBinding
+  apiVersion: rbac.authorization.k8s.io/v1
+  metadata:
+    name: default-account-istio-operator
+  subjects:
+  - kind: ServiceAccount
+    namespace: ${OPENSHIFT_ISTIO_OPERATOR_NAMESPACE}
+    name: default
+  roleRef:
+    kind: Role
+    name: istio-operator
+    apiGroup: rbac.authorization.k8s.io
+- kind: ClusterRoleBinding
+  apiVersion: rbac.authorization.k8s.io/v1
+  metadata:
+    name: default-account-istio-operator-cluster-role-binding
+  subjects:
+  - kind: ServiceAccount
+    namespace: ${OPENSHIFT_ISTIO_OPERATOR_NAMESPACE}
+    name: default
+  roleRef:
+    kind: ClusterRole
+    name: cluster-admin
+    apiGroup: rbac.authorization.k8s.io
+- kind: Deployment
+  apiVersion: apps/v1
+  metadata:
+    name: istio-operator
+    namespace: ${OPENSHIFT_ISTIO_OPERATOR_NAMESPACE}
+  spec:
+    replicas: 1
+    selector:
+      matchLabels:
+        name: istio-operator
+    template:
+      metadata:
+        labels:
+          name: istio-operator
+      spec:
+        containers:
+          - name: istio-operator
+            image: ${OPENSHIFT_ISTIO_PREFIX}istio-operator-centos7:${OPENSHIFT_ISTIO_VERSION}
+            ports:
+            - containerPort: 60000
+              name: metrics
+            command:
+            - istio-operator
+            args:
+            - "--release=${OPENSHIFT_RELEASE}"
+            - "--masterPublicURL=${OPENSHIFT_ISTIO_MASTER_PUBLIC_URL}"
+            - "--istioPrefix=${OPENSHIFT_ISTIO_PREFIX}"
+            - "--istioVersion=${OPENSHIFT_ISTIO_VERSION}"
+            - "--deploymentType=${OPENSHIFT_DEPLOYMENT_TYPE}"
+            imagePullPolicy: IfNotPresent
+            env:
+              - name: WATCH_NAMESPACE
+                valueFrom:
+                  fieldRef:
+                    fieldPath: metadata.namespace
+              - name: OPERATOR_NAME
+                value: "istio-operator"

ansible/roles/openshift/templates/master-config.patch

@@ -0,0 +1,12 @@
+admissionConfig:
+  pluginConfig:
+    MutatingAdmissionWebhook:
+      configuration:
+        apiVersion: apiserver.config.k8s.io/v1alpha1
+        kubeConfigFile: /dev/null
+        kind: WebhookAdmission
+    ValidatingAdmissionWebhook:
+      configuration:
+        apiVersion: apiserver.config.k8s.io/v1alpha1
+        kubeConfigFile: /dev/null
+        kind: WebhookAdmission