Merge pull request #212 from RedHat-EMEA-SSA-Team/devel

Next release 2022-06-19 - merge devel into master
RedHat-EMEA-SSA-Team · Jun 19, 2022 · e8024b4 · e8024b4
2 parents 0b9aa15 + aefb981
commit e8024b4
Show file tree

Hide file tree

Showing 52 changed files with 300 additions and 155 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,5 @@
 cluster.yml
 .DS_Store
 certificate/
+ansible-navigator.log
+context/
diff --git a/README.md b/README.md
@@ -1,5 +1,3 @@
-### 🚨 Warning: Installation on Centos 8 Stream might fail due to issue [#205](https://github.com/RedHat-EMEA-SSA-Team/hetzner-ocp4/issues/205)
-
 # Disclaimer
 This environment has been created for the sole purpose of providing an easy to deploy and consume a Red Hat OpenShift Container Platform 4 environment *as a sandpit*.
 
@@ -63,32 +61,39 @@ subscription-manager register
 
 # get pool id via:
 # subscription-manager list --available
-
-subscription-manager attach --pool=...
+subscription-manager attach [--auto] --pool=...
 
 subscription-manager repos --disable=*
 
 subscription-manager repos \
     --enable=rhel-8-for-x86_64-baseos-rpms \
     --enable=rhel-8-for-x86_64-appstream-rpms \
     --enable=rhel-8-for-x86_64-highavailability-rpms \
-    --enable=ansible-2.9-for-rhel-8-x86_64-rpms \
-    --enable=openstack-15-for-rhel-8-x86_64-rpms
-```
+    --enable=ansible-automation-platform-2.1-for-rhel-8-x86_64-rpms
+
 
-## In case of CentOS Stream 8 🚨 currently broken due to issue [#205](https://github.com/RedHat-EMEA-SSA-Team/hetzner-ocp4/issues/205)
+yum install -y ansible-navigator git podman
 
-Enable ansible repo:
 ```
-yum install -y centos-release-ansible-29.noarch
+
+## In case of Rocky Linux 8 or Centos 8
+
+Ansible navigator installation based on the upstream [documentation](https://ansible-navigator.readthedocs.io/en/latest/installation/#install-ansible-navigator).
+
+```bash
+dnf install -y python3-pip podman git
+python3 -m pip install ansible-navigator --user
+echo 'export PATH=$HOME/.local/bin:$PATH' >> ~/.profile
+source ~/.profile
+
 ```
 
 ## Initialize tools
 
-Install ansible (min version 2.9) and git
 
 ```
-yum install -y ansible git
+ssh-keygen
+cat ~/.ssh/*.pub >> ~/.ssh/authorized_keys
 ```
 
 You are now ready to clone this project to your CentOS system.
@@ -206,8 +211,8 @@ Please configure in `cluster.yml` all necessary credentials:
 ## Prepare kvm-host and install OpenShift
 
 ```
-[root@server ~]# cd hetzner-ocp4
-[root@server ~]# ansible-playbook ./ansible/setup.yml
+cd hetzner-ocp4
+ansible-navigator run -m stdout ./ansible/setup.yml
 ```
 
 # Additional documentation
@@ -228,10 +233,22 @@ Please configure in `cluster.yml` all necessary credentials:
 | Problem | Command |
 |---|---|
 |Check haproxy connections| ```podman exec -ti openshift-4-loadbalancer-${cluster_name} ./watch-stats.sh```
-|Start cluster after reboot|```./ansible/04-start-cluster.yml```
+|Start cluster after reboot|```ansible-navigator run -m stdout ./ansible/04-start-cluster.yml```
+
+
+# Build / Development
 
+## Build ansible execution enviorment
 
+```bash
+ansible-builder build \
+    --container-runtime podman \
+    --tag quay.io/redhat-emea-ssa-team/hetzner-ocp4-ansible-ee:devel
+
+podman push quay.io/redhat-emea-ssa-team/hetzner-ocp4-ansible-ee:devel
+```
 
 # Stargazers over time
 
 [![Stargazers over time](https://starchart.cc/RedHat-EMEA-SSA-Team/hetzner-ocp4.svg)](https://starchart.cc/RedHat-EMEA-SSA-Team/hetzner-ocp4)
+
diff --git a/ansible-navigator.yaml b/ansible-navigator.yaml
@@ -0,0 +1,12 @@
+---
+ansible-navigator:
+  execution-environment:
+    container-options:
+    - --net=host
+    image: quay.io/redhat-emea-ssa-team/hetzner-ocp4-ansible-ee:master
+  logging:
+    level: critical
+  mode: stdout
+  playbook-artifact:
+    enable: true
+    save-as: /tmp/hetzner-ocp4-{playbook_name}-artifact-{ts_utc}.json
diff --git a/ansible.cfg b/ansible.cfg
@@ -22,13 +22,12 @@ gathering = smart
 # fact_caching = jsonfile
 # fact_caching_connection = $HOME/ansible/facts
 # fact_caching_timeout = 600
-callback_whitelist = profile_tasks
 inventory_ignore_extensions = secrets.py, .pyc, .cfg, .crt, .ini
 # work around privilege escalation timeouts in ansible:
 timeout = 30
 
 # Uncomment to use the provided example inventory
-#inventory = inventory/hosts.example
+inventory = inventory/hosts.yaml
 
 # Additional ssh options for OpenShift Ansible
 [ssh_connection]

diff --git a/ansible/00-provision-hetzner.yml b/ansible/00-provision-hetzner.yml
@@ -1,4 +1,3 @@
-#!/usr/bin/env ansible-playbook
 ---
 
 - name: Build inventory

diff --git a/ansible/01-prepare-host.yml b/ansible/01-prepare-host.yml
@@ -1,6 +1,5 @@
-#!/usr/bin/env ansible-playbook
 ---
-- hosts: localhost
+- hosts: host
   vars_files:
   - ../cluster.yml
   tasks:

diff --git a/ansible/02-create-cluster.yml b/ansible/02-create-cluster.yml
@@ -1,8 +1,6 @@
-#!/usr/bin/env ansible-playbook
 ---
 # If you like to play: ./ansible/create.yml --skip-tags public_dns,letsencrypt
-- hosts: localhost
-  connection: local
+- hosts: host
   # gather_facts true because we need the public ip address
   gather_facts: true
   vars_files:

diff --git a/ansible/03-stop-cluster.yml b/ansible/03-stop-cluster.yml
@@ -1,8 +1,6 @@
-#!/usr/bin/env ansible-playbook
 ---
 # If you like to play: ./ansible/create.yml --skip-tags public_dns,letsencrypt
-- hosts: localhost
-  connection: local
+- hosts: host
   # gather_facts true because we need the public ip address
   gather_facts: true
   vars_files:

diff --git a/ansible/04-start-cluster.yml b/ansible/04-start-cluster.yml
@@ -1,8 +1,6 @@
-#!/usr/bin/env ansible-playbook
 ---
 # If you like to play: ./ansible/create.yml --skip-tags public_dns,letsencrypt
-- hosts: localhost
-  connection: local
+- hosts: host
   # gather_facts true because we need the public ip address
   gather_facts: true
   vars_files:

diff --git a/ansible/99-destroy-cluster.yml b/ansible/99-destroy-cluster.yml
@@ -1,9 +1,7 @@
-#!/usr/bin/env ansible-playbook
 ---
 # If you like to play: ./ansible/destroy.yml --skip-tags public_dns,letsencrypt
 
-- hosts: localhost
-  connection: local
+- hosts: host
   gather_facts: true
   vars_files:
     - ../cluster.yml

diff --git a/ansible/add-on-roles/cluster-entitlement/tasks/entitlement-from-rhel-node.yaml b/ansible/add-on-roles/cluster-entitlement/tasks/entitlement-from-rhel-node.yaml
@@ -31,7 +31,8 @@
   register: register_entitlement_base64
 
 - name: Apply entitle machineconfig
-  k8s:
+  delegate_to: localhost
+  kubernetes.core.k8s:
     state: present
     kubeconfig: "{{ k8s_kubeconfig }}"
     host: "{{ k8s_host }}"

diff --git a/ansible/add-on-roles/cluster-entitlement/tasks/post-install.yaml b/ansible/add-on-roles/cluster-entitlement/tasks/post-install.yaml
@@ -4,5 +4,5 @@
     msg: "Run cluster entitlement against {{ kubeconfig }}"
 
 - name: "Include entitlement-from-rhel-node.yaml"
-  include: "entitlement-from-rhel-node.yaml"
+  include_tasks: "entitlement-from-rhel-node.yaml"
   when: ansible_distribution  == "RedHat"
diff --git a/ansible/add-on-roles/ntp/tasks/post-install.yml b/ansible/add-on-roles/ntp/tasks/post-install.yml
@@ -8,7 +8,8 @@
   register: register_encoded_chrony_conf
 
 - name: Apply NTP machineconfig
-  k8s:
+  delegate_to: localhost
+  kubernetes.core.k8s:
     state: present
     kubeconfig: "{{ k8s_kubeconfig }}"
     host: "{{ k8s_host }}"

diff --git a/ansible/add-on-roles/web-terminal/tasks/post-install.yml b/ansible/add-on-roles/web-terminal/tasks/post-install.yml
@@ -1,7 +1,8 @@
 ---
 
 - name: Apply web-terminal subscription
-  k8s:
+  delegate_to: localhost
+  kubernetes.core.k8s:
     state: present
     kubeconfig: "{{ k8s_kubeconfig }}"
     host: "{{ k8s_host }}"

diff --git a/ansible/renewal-certificate.yml b/ansible/renewal-certificate.yml
@@ -1,6 +1,5 @@
-#!/usr/bin/env ansible-playbook
 ---
-- hosts: localhost
+- hosts: host
   vars_files:
   - ../cluster.yml
   tasks:

diff --git a/ansible/roles/letsencrypt/tasks/create-digitalocean.yml b/ansible/roles/letsencrypt/tasks/create-digitalocean.yml
@@ -1,6 +1,7 @@
 ---
 
 - name: Create DNS record at DigitalOcean
+  delegate_to: localhost
   community.digitalocean.digital_ocean_domain_record:
     oauth_token: "{{ digitalocean_token }}"
     state: present

diff --git a/ansible/roles/letsencrypt/tasks/create-hetzner.yml b/ansible/roles/letsencrypt/tasks/create-hetzner.yml
@@ -1,6 +1,7 @@
 ---
 
 - name: Get DNS zone id at Hetzner
+  delegate_to: localhost
   uri:
     url: "https://dns.hetzner.com/api/v1/zones"
     body_format: json
@@ -13,6 +14,7 @@
   register: le_hetzner_zone_id
 
 - name: Create letsencrypt DNS record at Hetzner
+  delegate_to: localhost
   uri:
     url: "https://dns.hetzner.com/api/v1/records"
     method: POST

diff --git a/ansible/roles/letsencrypt/tasks/destroy-digitalocean.yml b/ansible/roles/letsencrypt/tasks/destroy-digitalocean.yml
@@ -1,6 +1,7 @@
 ---
 
 - name: Destroy DNS record at DigitalOcean
+  delegate_to: localhost
   community.digitalocean.digital_ocean_domain_record:
     oauth_token: "{{ digitalocean_token }}"
     state: absent

diff --git a/ansible/roles/letsencrypt/tasks/destroy-hetzner.yml b/ansible/roles/letsencrypt/tasks/destroy-hetzner.yml
@@ -1,5 +1,6 @@
 ---
 - name: Delete DNS record at Hetzner
+  delegate_to: localhost
   uri:  # noqa no-handler
     url: "https://dns.hetzner.com/api/v1/records/{{ item.json.record.id }}"
     method: DELETE

diff --git a/ansible/roles/letsencrypt/tasks/main.yml b/ansible/roles/letsencrypt/tasks/main.yml
@@ -56,6 +56,7 @@
   when: sample_com_challenge is changed
 
 - name: Create DNS record at CloudFlare
+  delegate_to: localhost
   cloudflare_dns:
     zone: "{{ le_cloudflare_zone }}"
     record: "{{ item.0.key }}"
@@ -70,6 +71,7 @@
   when: le_dns_provider == "cloudflare" and sample_com_challenge is changed
 
 - name: Create DNS record at Route53
+  delegate_to: localhost
   route53:
     state: present
     zone: "{{ le_aws_zone }}"
@@ -85,6 +87,7 @@
   when: le_dns_provider == "route53" and sample_com_challenge is changed
 
 - name: Create DNS record at GCP
+  delegate_to: localhost
   gcp_dns_resource_record_set:
     name: "{{ item.0.key }}."
     type: TXT
@@ -103,6 +106,7 @@
   when: le_dns_provider == "gcp" and sample_com_challenge is changed
 
 - name: Create DNS record at Azure
+  delegate_to: localhost
   azure_rm_dnsrecordset:
     client_id: "{{ le_azure_client_id }}"
     secret: "{{ le_azure_secret }}"
@@ -121,6 +125,7 @@
   when: le_dns_provider == "azure" and sample_com_challenge is changed
 
 - name: Create DNS record at TransIP
+  delegate_to: localhost
   uri:
     url: "https://api.transip.nl/v6/domains/{{ transip_zone }}/dns"
     method: POST
@@ -145,7 +150,7 @@
   when: sample_com_challenge is changed
 
 - name: Include DNS provider
-  include: "create-{{ le_dns_provider }}.yml"
+  include_tasks: "create-{{ le_dns_provider }}.yml"
   when:
     - le_dns_provider in ['hetzner', 'digitalocean']
     - sample_com_challenge is changed
@@ -171,6 +176,7 @@
   when: sample_com_challenge is changed
 
 - name: Delete DNS record at CloudFlare
+  delegate_to: localhost
   cloudflare_dns:
     zone: "{{ le_cloudflare_zone }}"
     record: "{{ item.0.key }}"
@@ -185,6 +191,7 @@
   when: le_dns_provider == "cloudflare" and sample_com_challenge is changed
 
 - name: Delete DNS record at Route53
+  delegate_to: localhost
   route53:
     state: absent
     zone: "{{ le_aws_zone }}"
@@ -200,6 +207,7 @@
   when: le_dns_provider == "route53" and sample_com_challenge is changed
 
 - name: Delete DNS record at GCP
+  delegate_to: localhost
   gcp_dns_resource_record_set:
     name: "{{ item.0.key }}."
     managed_zone:
@@ -218,6 +226,7 @@
   when: le_dns_provider == "gcp" and sample_com_challenge is changed
 
 - name: Delete DNS record at Azure
+  delegate_to: localhost
   azure_rm_dnsrecordset:
     client_id: "{{ le_azure_client_id }}"
     secret: "{{ le_azure_secret }}"
@@ -233,6 +242,7 @@
   when: le_dns_provider == "azure" and sample_com_challenge is changed
 
 - name: Delete DNS record at TransIP
+  delegate_to: localhost
   uri:
     url: "https://api.transip.nl/v6/domains/{{ transip_zone }}/dns"
     method: DELETE
@@ -251,7 +261,7 @@
   when: le_dns_provider == "transip" and sample_com_challenge is changed
 
 - name: Include DNS provider
-  include: "destroy-{{ le_dns_provider }}.yml"
+  include_tasks: "destroy-{{ le_dns_provider }}.yml"
   when:
     - le_dns_provider in ['hetzner', 'digitalocean']
     - sample_com_challenge is changed

diff --git a/ansible/roles/openshift-4-cluster/defaults/main.yml b/ansible/roles/openshift-4-cluster/defaults/main.yml
@@ -1,7 +1,7 @@
 ---
 
 openshift_install_dir: "{{ playbook_dir }}/../{{ cluster_name }}"
-ssh_public_key_location: /root/.ssh/id_rsa
+ssh_public_key_location: ~/.ssh/id_rsa
 
 vn_subnet: "192.168.50.0"
 vn_name: "openshift-4-cluster"
@@ -12,8 +12,8 @@ vn_public_domain: "h42.openshift.pub"
 ip_families:
   - IPv4
 
-listen_address: "{{ hostvars['localhost']['ansible_default_ipv4']['address'] | default('') }}"
-listen_address_ipv6: "{{ hostvars['localhost']['ansible_default_ipv6']['address'] | default('') }}"
+listen_address: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] | default('') }}"
+listen_address_ipv6: "{{ hostvars[inventory_hostname]['ansible_default_ipv6']['address'] | default('') }}"
 
 # Default: qcow2
 # For more performance use LVM
@@ -42,7 +42,7 @@ vm_autostart: false
 # Important: OpenShift version must match to RHEL CoreOS version!
 
 # reference to OpenShift version
-openshift_version: 4.9.5
+openshift_version: 4.10.16
 openshift_install_command: "/opt/openshift-install-{{ openshift_version }}/openshift-install"
 # dev-pre:
 # {{ openshift_mirror }}/pub/openshift-v4/clients/ocp-dev-preview
@@ -59,7 +59,7 @@ opm_download_url: "{{ openshift_location }}/opm-linux-{{ opm_version }}.tar.gz"
 opm_dest: "/opt/openshift-client-{{ openshift_client_version }}/"
 
 # reference to coreos qcow file
-coreos_version: 4.9.0
+coreos_version: 4.10.3
 coreos_download_url: "{{ openshift_mirror }}/pub/openshift-v4/dependencies/rhcos/{{ coreos_version.split('.')[:2]|join('.') }}/{{ coreos_version }}/rhcos-{{coreos_version}}-x86_64-qemu.x86_64.qcow2.gz"  # noqa line-length
 coreos_csum_url: "{{ openshift_mirror }}/pub/openshift-v4/dependencies/rhcos/{{ coreos_version.split('.')[:2]|join('.') }}/{{ coreos_version }}/sha256sum.txt"  # noqa line-length