Merge branch 'main' into I759_PVC_Storage_Tower_OCP

redhat-cop · Mar 17, 2021 · 58674d3 · 58674d3
2 parents abcf48e + 259e8ca
commit 58674d3
Show file tree

Hide file tree

Showing 6 changed files with 180 additions and 59 deletions.
diff --git a/playbooks/ansible/tower/configure-ansible-tower.yml b/playbooks/ansible/tower/configure-ansible-tower.yml
@@ -13,6 +13,16 @@
   - 'never'
   - 'install'
 
+- hosts: ansible-tower
+  roles:
+  - role: ansible/tower/config-ansible-tower-ocp
+  - role: ansible/tower/config-ansible-tower-subscription-manifest
+  - role: ansible/tower/config-ansible-tower-ocp-ssh
+  - role: ansible/tower/config-ansible-tower-ldap
+  tags:
+  - 'never'
+  - 'install-tower-ocp'
+
 - hosts: tower-management-host
   roles:
   - role: ansible/tower/manage-settings

diff --git a/roles/ansible/tower/config-ansible-tower-ocp-ssh/README.md b/roles/ansible/tower/config-ansible-tower-ocp-ssh/README.md
@@ -0,0 +1,46 @@
+config-ansible-tower-ocp-ssh
+============================
+
+This role is a helper for `config-ansible-tower-ocp` to create an OpenShift secret from an SSH key, and mount it as read-only in the `awx` users $HOME/.ssh folder
+
+## Requirements
+
+  - A running OpenShift Cluster and installed 'oc' client in the Ansible host
+
+
+## Role Variables
+
+The variables used to install Ansible Tower on OpenShift are outlined in the table below. 
+
+| Variable | Description | Required | Defaults |
+|:---------|:------------|:---------|:---------|
+|ocp_ssh_private_keys.src|File path to ssh private key, for example ssh_private_key.pem|yes||
+|ocp_ssh_private_keys.dest|Path where ssh private key will be mounted on the container|no|/var/lib/awx/.ssh + src \| basename|
+|ocp_ssh_private_keys.secret_project|Openshift Project for your tower deployment|no|tower|
+|ocp_ssh_private_keys.secret_name|A name for your secret|no|src \| basename|
+|ocp_ssh_private_keys.deployment_type|One of deployment or deploymentconfig|no|deployment|
+|ocp_ssh_private_keys.deployment_name|The name of the Ansible Tower deployment|no|ansible-tower|
+
+## Example Inventory
+
+```yaml
+---
+
+ocp_ssh_private_keys:
+  - src: "{{ inventory_dir }}../files/ssh_private_key.pem"
+    dest: /var/lib/awx/.ssh/ssh_private_key.pem
+    secret_project: "{{ openshift_project }}"
+    secret_name: ssh_private_key
+    deployment_type: deployment
+    deployment_name: ansible-tower
+```
+
+## Example Playbook
+
+```yaml
+---
+
+- hosts: ansible-tower
+  roles:
+  - role: config-ansible-tower-ocp-ssh
+```
diff --git a/roles/ansible/tower/config-ansible-tower-ocp-ssh/tasks/main.yml b/roles/ansible/tower/config-ansible-tower-ocp-ssh/tasks/main.yml
@@ -0,0 +1,10 @@
+---
+
+- name: Add SSH keys to OCP as secrets and mount as volumes
+  include_tasks: ocp-process-ssh-key.yml
+  loop: "{{ ocp_ssh_private_keys }}"
+  loop_control:
+    loop_var: ssh_key
+  when:
+    - ocp_ssh_private_keys is defined
+    - (ocp_ssh_private_keys | type_debug) == 'list'
diff --git a/roles/ansible/tower/config-ansible-tower-ocp-ssh/tasks/ocp-process-ssh-key.yml b/roles/ansible/tower/config-ansible-tower-ocp-ssh/tasks/ocp-process-ssh-key.yml
@@ -0,0 +1,43 @@
+---
+
+- name: Set SSH key filename
+  set_fact:
+    ssh_key_filename: "{{ ssh_key.src | basename }}"
+    ssh_key_project: "{{ ssh_key.secret_project | default(openshift_project) | default('tower') }}"
+
+- name: Check for existing secret
+  command: |
+    oc get secret {{ ssh_key.secret_name | default('ansible-tower-ssh-key') }} \
+      -o=jsonpath='{.metadata.name}' \
+      -n {{ ssh_key_project }}
+  register: secret_check
+  failed_when: secret_check.rc > 1
+
+- name: Check for existing volume mount
+  command: |
+    oc set volume {{ ssh_key.deployment_type | default('deployment')}}/{{ ssh_key.deployment_name | default('ansible-tower') }} \
+    -n {{ ssh_key_project }}
+  register: volume_check
+
+- name: Create a generic ssh key secret from file
+  command: |
+    oc create secret generic {{ ssh_key.secret_name | default('ansible-tower-ssh-key') }} \
+      --from-file={{ ssh_key.src }} \
+      -n {{ ssh_key_project }}
+  when:
+    - secret_check.rc != 0
+
+- name: Mount generic ssh key secret
+  command: |
+    oc set volume {{ ssh_key.deployment_type | default('deployment')}}/{{ ssh_key.deployment_name | default('ansible-tower') }} \
+      --add \
+      --default-mode 0600 \
+      --read-only \
+      --secret-name {{ ssh_key.secret_name | default(ssh_key_filename) }} \
+      --type {{ ssh_key.volume_type | default('secret') }} \
+      --mount-path {{ ssh_key.dest | default('/var/lib/awx/.ssh/' + ssh_key_filename) }} \
+      --sub-path {{ ssh_key_filename }} \
+      --containers ansible-tower-task \
+      -n {{ ssh_key_project }}
+  when:
+    - ssh_key.secret_name not in volume_check.stdout
diff --git a/roles/ansible/tower/config-ansible-tower/defaults/main.yml b/roles/ansible/tower/config-ansible-tower/defaults/main.yml
@@ -3,16 +3,18 @@
 # ansible_tower_download_url: http://releases.ansible.com/ansible-tower/setup/ansible-tower-setup-latest.tar.gz
 ansible_tower_download_url: "https://releases.ansible.com/ansible-tower/setup/ansible-tower-setup-{{ ansible_tower_version }}.tar.gz"
 
-ansible_tower_version: 3.3.0-1
+ansible_tower_version: 3.8.2-1
 
-# oc clients found at 'https://mirror.openshift.com/pub/openshift-v3/clients/'
-ansible_tower_oc_download_url: https://mirror.openshift.com/pub/openshift-v3/clients/3.10.47/linux/oc.tar.gz
+# oc clients found at 'https://mirror.openshift.com/pub/openshift-v4/clients/ocp/'
+ansible_tower_oc_download_url: https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable/openshift-client-linux.tar.gz
 
 # helm clients found at 'https://github.com/helm/helm/releases'
 ansible_tower_helm_download_url: "https://get.helm.sh/helm-v3.3.1-linux-amd64.tar.gz"
 
 # EPEL release can be changed, but default to '-latest'
-ansible_tower_epel_download_url: https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
+ansible_tower_epel_download_url: https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
+ansible_tower_epel_gpg_download_url: https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8
+ansible_tower_epel_disable_gpg_check: 'no'
 
 default_ansible_tower_url: 'https://localhost'
 default_ansible_tower_admin_username: 'admin'
diff --git a/roles/ansible/tower/config-ansible-tower/tasks/install.yml b/roles/ansible/tower/config-ansible-tower/tasks/install.yml
@@ -2,67 +2,77 @@
 
 - block: # become: True
 
-  - name: "install epel-release"
-    package:
-      name: "{{ ansible_tower_epel_download_url }}"
-      state: present
+    - name: "install EPEL GPG key - if specified"
+      rpm_key:
+        key: "{{ ansible_tower_epel_gpg_download_url }}"
+        state: present
+      when:
+        - ansible_tower_epel_gpg_download_url is defined
+        - ansible_tower_epel_gpg_download_url|trim != ''
+        - ansible_tower_epel_disable_gpg_check|lower == 'no'
 
-  - name: "Download & Unpack Ansible Tower installer"
-    unarchive:
-      src: "{{ ansible_tower_download_url }}"
-      dest: "."
-      list_files: true
-      remote_src: true
-      exclude: "inventory"
-    register: ansible_tower_download_fact
+    - name: "install epel-release"
+      dnf:
+        name: "{{ ansible_tower_epel_download_url }}"
+        state: present
+        disable_gpg_check: "{{ ansible_tower_epel_disable_gpg_check | default('no') }}"
 
-  - name: "Set installation facts"
-    set_fact:
-      # The first file listed in the output of the unarchiving from downloading tower
-      # is the directory so set that as ansible_tower_dir
-      ansible_tower_dir: "{{ ansible_tower_download_fact.files.0 }}"
-      # Need to check if version 3.7 or later as we use different inventory values
-      ansible_tower_37_later: "{{ (ansible_tower_version is version(3.7, '>=')) or (ansible_tower_version == 'latest') }}"
+    - name: "Download & Unpack Ansible Tower installer"
+      unarchive:
+        src: "{{ ansible_tower_download_url }}"
+        dest: "."
+        list_files: true
+        remote_src: true
+        exclude: "inventory"
+      register: ansible_tower_download_fact
 
-  - name: "Set up the Ansible Tower inventory"
-    template:
-      src: inventory.j2
-      dest: "{{ ansible_tower_dir }}/inventory"
-    register: inventory
+    - name: "Set installation facts"
+      set_fact:
+        # The first file listed in the output of the unarchiving from downloading tower
+        # is the directory so set that as ansible_tower_dir
+        ansible_tower_dir: "{{ ansible_tower_download_fact.files.0 }}"
+        # Need to check if version 3.7 or later as we use different inventory values
+        ansible_tower_37_later: "{{ (ansible_tower_version is version(3.7, '>=')) or (ansible_tower_version == 'latest') }}"
 
-  - name: "run tower installer"
-    shell: ./setup.sh
-    args:
-      chdir: "{{ ansible_tower_dir }}"
+    - name: "Set up the Ansible Tower inventory"
+      template:
+        src: inventory.j2
+        dest: "{{ ansible_tower_dir }}/inventory"
+      register: inventory
 
-  - name: "Download and extract 'oc' client to /bin"
-    unarchive:
-      src: "{{ ansible_tower_oc_download_url }}"
-      dest: /bin
-      remote_src: True
-    when:
-    - ansible_tower_oc_download_url|trim != ''
+    - name: "run tower installer"
+      shell: ./setup.sh
+      args:
+        chdir: "{{ ansible_tower_dir }}"
 
-  - name: "Download and extract 'helm' client to a temporary location"
-    unarchive:
-      src: "{{ ansible_tower_helm_download_url }}"
-      dest: /tmp
-      remote_src: True
-      list_files: True
-    register: helm_extract
-    when:
-    - ansible_tower_helm_download_url|trim != ''
+    - name: "Download and extract 'oc' client to /bin"
+      unarchive:
+        src: "{{ ansible_tower_oc_download_url }}"
+        dest: /bin
+        remote_src: True
+      when:
+        - ansible_tower_oc_download_url|trim != ''
 
-  - name: "Move the 'helm' binary to /bin"
-    copy:
-      src: "/tmp/{{ item }}"
-      dest: /bin/
-      follow: yes
-      mode: '755'
-      remote_src: True
-    with_items: "{{ helm_extract.files | map('regex_search','.*helm') | select('string') | list }}"
-    when:
-    - ansible_tower_helm_download_url|trim != ''
-    - helm_extract.files
+    - name: "Download and extract 'helm' client to a temporary location"
+      unarchive:
+        src: "{{ ansible_tower_helm_download_url }}"
+        dest: /tmp
+        remote_src: True
+        list_files: True
+      register: helm_extract
+      when:
+        - ansible_tower_helm_download_url|trim != ''
+
+    - name: "Move the 'helm' binary to /bin"
+      copy:
+        src: "/tmp/{{ item }}"
+        dest: /bin/
+        follow: yes
+        mode: '755'
+        remote_src: True
+      with_items: "{{ helm_extract.files | map('regex_search','.*helm') | select('string') | list }}"
+      when:
+        - ansible_tower_helm_download_url|trim != ''
+        - helm_extract.files
 
   become: True