diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index f8e76ca..c8affd3 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -10,9 +10,9 @@ on: schedule: - cron: "0 5 * * 0" -defaults: - run: - working-directory: 'mtulio.okd_installer' +# defaults: + # run: + # working-directory: 'mtulio.okd_installer' jobs: @@ -24,7 +24,7 @@ jobs: - name: Check out the codebase. uses: actions/checkout@v3 with: - path: 'mtulio.okd_installer' + # path: 'mtulio.okd_installer' submodules: recursive - name: Set up Python 3. @@ -60,7 +60,7 @@ jobs: - name: Check out the codebase. uses: actions/checkout@v3 with: - path: 'mtulio.okd_installer' + # path: 'mtulio.okd_installer' submodules: recursive - name: Set up Python 3. @@ -90,8 +90,8 @@ jobs: - name: Checkout uses: actions/checkout@v3 with: - path: 'mtulio.okd_installer' - fetch-depth: 5 + # path: 'mtulio.okd_installer' + # fetch-depth: 5 submodules: recursive - name: Build Collection @@ -132,8 +132,8 @@ jobs: - name: Checkout uses: actions/checkout@v3 with: - path: 'mtulio.okd_installer' - fetch-depth: 5 + # path: 'mtulio.okd_installer' + # fetch-depth: 5 submodules: recursive - name: Download artifacts @@ -189,16 +189,16 @@ jobs: echo "Discovered Preview URL: ${PREVIEW_URL}" echo "url=$PREVIEW_URL" >> $GITHUB_OUTPUT - # Commenting in PR - - name: Find comment - uses: peter-evans/find-comment@v2 - id: fbc - with: - issue-number: ${{ github.event.pull_request.number }} - comment-author: 'github-actions[bot]' - body-includes: '' + # Commenting in PR the build information (force to always create a comment) + # - name: Find comment + # uses: peter-evans/find-comment@v2 + # id: fbc + # with: + # issue-number: ${{ github.event.pull_request.number }} + # comment-author: 'github-actions[bot]' + # body-includes: '' - name: Create comment - if: steps.fbc.outputs.comment-id == '' + # if: steps.fbc.outputs.comment-id == '' uses: peter-evans/create-or-update-comment@v3 with: issue-number: ${{ github.event.pull_request.number }} @@ -208,19 +208,18 @@ jobs: - Container: ${{ env.IMAGE }}:${{ env.VERSION }} - Docs Preview: ${{ steps.verceldeploy.outputs.url }} reactions: rocket - - - name: Update comment - if: steps.fbc.outputs.comment-id != '' - uses: peter-evans/create-or-update-comment@v3 - with: - comment-id: ${{ steps.fbc.outputs.comment-id }} - body: | - - Artifacts built by CI: - - Container: ${{ env.IMAGE }}:${{ env.VERSION }} - - Docs Preview: ${{ steps.verceldeploy.outputs.url }} - reactions: hooray - edit-mode: replace + # - name: Update comment + # if: steps.fbc.outputs.comment-id != '' + # uses: peter-evans/create-or-update-comment@v3 + # with: + # comment-id: ${{ steps.fbc.outputs.comment-id }} + # body: | + # + # Artifacts built by CI: + # - Container: ${{ env.IMAGE }}:${{ env.VERSION }} + # - Docs Preview: ${{ steps.verceldeploy.outputs.url }} + # reactions: hooray + # edit-mode: replace # Build a container image on main branch, publishing the 'latest' to repository. publish-container-latest: @@ -232,8 +231,8 @@ jobs: - name: Checkout uses: actions/checkout@v3 with: - path: 'mtulio.okd_installer' - fetch-depth: 5 + # path: 'mtulio.okd_installer' + # fetch-depth: 5 submodules: recursive - name: Download artifacts @@ -278,8 +277,8 @@ jobs: - name: Checkout uses: actions/checkout@v3 with: - path: 'mtulio.okd_installer' - fetch-depth: 5 + # path: 'mtulio.okd_installer' + # fetch-depth: 5 submodules: recursive - name: Get version @@ -315,8 +314,8 @@ jobs: - name: Checkout uses: actions/checkout@v3 with: - path: 'mtulio.okd_installer' - fetch-depth: 5 + # path: 'mtulio.okd_installer' + # fetch-depth: 5 submodules: recursive - name: Get version @@ -348,7 +347,7 @@ jobs: podman login -u="${QUAY_USER}" -p="${QUAY_PASS}" quay.io echo "> Build container image:" - podman build -t ${IMAGE}:${VERSION} -f hack/Containerfile . + podman build --build-arg=QUAY_EXPIRATION=never -t ${IMAGE}:${VERSION} -f hack/Containerfile . podman tag ${IMAGE}:${VERSION} ${IMAGE}:${VERSION_BUILD} echo "> Publish container image:" diff --git a/.github/workflows/mock-aws.yaml b/.github/workflows/mock-aws.yaml index e9db86f..3c3d155 100644 --- a/.github/workflows/mock-aws.yaml +++ b/.github/workflows/mock-aws.yaml @@ -136,7 +136,6 @@ jobs: cat ~/.ansible/okd-installer/clusters/${{ steps.vars.outputs.cluster-name }}/cluster_state.json || true cat ~/.ansible/okd-installer/clusters/${{ steps.vars.outputs.cluster-name }}install-config-bkp.yaml || true - - name: Destroy cluster (play destroy_cluster) env: VARS_FILE: "./vars-${{ steps.vars.outputs.cluster-name }}.yaml" diff --git a/.github/workflows/site-production.yaml b/.github/workflows/site-production.yaml index f1b8ae1..6138021 100644 --- a/.github/workflows/site-production.yaml +++ b/.github/workflows/site-production.yaml @@ -1,6 +1,5 @@ # Workflow for deploying static content to GitHub Pages name: github-pages - on: push: branches: ["main"] diff --git a/docs/documentation/integrate-provider.md b/docs/documentation/integrate-provider.md new file mode 100644 index 0000000..335fdb5 --- /dev/null +++ b/docs/documentation/integrate-provider.md @@ -0,0 +1,3 @@ +# Steps to Integrate a new Provider into okd-installer + +> Placeholder diff --git a/docs/guides/AWS/aws-agnostic.md b/docs/guides/AWS/aws-agnostic.md index b938bb4..463db32 100644 --- a/docs/guides/AWS/aws-agnostic.md +++ b/docs/guides/AWS/aws-agnostic.md @@ -31,7 +31,7 @@ Create and export the environments: # OCP: https://openshift-release.apps.ci.l2s4.p1.openshiftapps.com/ DISTRIBUTION="ocp" RELEASE_REPO="quay.io/openshift-release-dev/ocp-release" -VERSION="4.13.0" +VERSION="4.14.0-rc.0" RELEASE_VERSION="${VERSION}-x86_64" PULL_SECRET_FILE="${HOME}/.openshift/pull-secret-latest.json" ``` @@ -60,7 +60,7 @@ Create the Ansible var files: ```bash -CLUSTER_NAME="aws-none05" +CLUSTER_NAME="aws-n414rc0" BASE_DOMAIN="devcluster.openshift.com" SSH_PUB_KEY="$(cat ~/.ssh/id_rsa.pub)" @@ -164,3 +164,36 @@ ansible-playbook mtulio.okd_installer.destroy_cluster \ -e provider=${CONFIG_PROVIDER} \ -e cluster_name=${CONFIG_CLUSTER_NAME} ``` + + +## Quick install 4.14 + +```bash +CLUSTER_NAME=aws-none127 +VARS_FILE=./vars-oci-ha_${CLUSTER_NAME}.yaml + +cat < ${VARS_FILE} +provider: aws +cluster_name: ${CLUSTER_NAME} +config_cluster_region: us-east-1 + +cluster_profile: ha +# destroy_bootstrap: no + +config_base_domain: devcluster.openshift.com +config_ssh_key: "$(cat ~/.ssh/openshift-dev.pub)" +config_pull_secret_file: "${HOME}/.openshift/pull-secret-latest.json" + +config_featureset: TechPreviewNoUpgrade + +config_cluster_version: 4.14.0-ec.3 +version: 4.14.0-ec.3 +EOF +``` + +```bash +ansible-playbook mtulio.okd_installer.create_all \ + -e cert_max_retries=30 \ + -e cert_wait_interval_sec=60 \ + -e @$VARS_FILE +``` \ No newline at end of file diff --git a/docs/guides/AWS/aws-sno.md b/docs/guides/AWS/aws-sno.md index 7087588..ad8450f 100644 --- a/docs/guides/AWS/aws-sno.md +++ b/docs/guides/AWS/aws-sno.md @@ -2,9 +2,9 @@ Install a single node replica OpenShift/OKD. -The steps will create every infrastrucure stack to deploy a SNO on the AWS provider. +The steps will create every infrastrucure stack to deploy a Single Replicas OKD/OpenShift on AWS. -The infra resources created will be: +The following describes the cloud infrastructure resources created: - VPC and it's subnets on a single AZ - Security Groups @@ -14,13 +14,15 @@ The infra resources created will be: ## Deployment considerations -The deployment described in this document is introducing a more performant disk layout to avoid disruptions and concurrency between resources on the same disk (by default). The disk layout is when using EC2 instance `m6id.xlarge`: +The deployment described in this document introduces a more performant disk layout to avoid disruptions and concurrency between resources in the same disk (by default), considering the capacity isolation. + +The following disk layout is used when deploying in EC2 instance with `m6id.xlarge`: - Ephemeral disk (local storage) for `/var/lib/containers` -- Dedicated etcd EBS mounted on `/var/lib/etcd` +- Dedicated etcd mounted in `/var/lib/etcd` in the second EBS using gp3 ```text -$ cat ~/opct/results/opct-sno-aws/sno2-run-lsblk.txt +$ cat ~/results/opct-sno-aws/sno2-run-lsblk.txt NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT nvme0n1 259:0 0 128G 0 disk |-nvme0n1p1 259:4 0 1M 0 part @@ -34,26 +36,31 @@ nvme2n1 259:2 0 220.7G 0 disk /var/lib/containers Using this layout we decreased the amount of memory used by monitoring stack (Prometheus), and, consequently the etcd when using a single/shared-disk deployment. The API disruptions decreased drastically, allowing to use smaller instance types with 16GiB of RAM and 4 vCPU. -Steps: +> TODO add metrics/graphs from the before/after improvements. + +## Steps - Generate the SNO ignitions - Create the Stacks: Network, IAM, DNS, LB - Create the Compute with ignition +### Create the configuration variables -## Create the configuration variables +Create the okd-installer configuration: ```bash -cat < ./vars-sno.yaml +VARS_FILE=./vars-sno.yaml +cat << EOF > $VARS_FILE provider: aws cluster_name: sno-aws +version: 4.14.0-rc.0 config_base_domain: devcluster.openshift.com config_ssh_key: "$(cat ~/.ssh/id_rsa.pub)" config_pull_secret_file: ${HOME}/.openshift/pull-secret-latest.json config_cluster_region: us-east-1 -cluster_profile: sno +cluster_profile: SingleReplica create_worker: no destroy_bootstrap: no @@ -72,7 +79,7 @@ config_bootstrapinplace_disk: /dev/nvme0n1 #- t4g.xlarge: ~98/od 29/spot #- m6gd.xlarge: ~131/od ~52/spot #- r6gd.2xlaarge: ~168/od ~62/spot -controlplane_instance: m6id.xlarge +controlplane_instance: m6id.2xlarge # Patch manifests to: # 1) mount ephemeral disk on /var/lib/containers @@ -89,100 +96,44 @@ cfg_patch_mc_varlibcontainers: machineconfiguration_roles: - master -# TODO: create cfg for patch mc_varlibetcd to receive the disk - EOF ``` -## Client - -See [Install the Clients](./install-openshift-install.md) - -## Config - -Create the installation configuration: - -```bash -ansible-playbook mtulio.okd_installer.config \ - -e mode=create \ - -e @./vars-sno.yaml -``` - -## Deploy each stack (optional) - -> the playbook `create_all` can be used to deploy all stacks - -- Network Stack - -```bash -ansible-playbook mtulio.okd_installer.stack_network \ - -e @./vars-sno.yaml -``` - -- IAM Stack - - -```bash -ansible-playbook mtulio.okd_installer.stack_iam \ - -e @./vars-sno.yaml -``` - -- DNS Stack +Where: -```bash -ansible-playbook mtulio.okd_installer.stack_dns \ - -e @./vars-sno.yaml -``` - -- Load Balancer Stack +- `cluster_profile: sno`: ... +- `create_worker: no`: ... +- `destroy_bootstrap: no`: ... +- `config_patches`: ... +- `cfg_patch_mc_varlibcontainers`: ... -```bash -ansible-playbook mtulio.okd_installer.stack_loadbalancer \ - -e @./vars-sno.yaml -``` -- Compute Stack: Deploy the bootstrap node +### create cluster -- Create the Bootstrap Node +- Create cluster: ```bash -ansible-playbook mtulio.okd_installer.create_node \ - -e @./vars-sno.yaml \ - -e node_role=controlplane +ansible-playbook mtulio.okd_installer.create_all -e @$VARS_FILE ``` -## Deploy cluster - -Deploy a cluster creating all the resources with a single execution/playbook: - -> This steps will deploy all the stacks - -```bash -ansible-playbook mtulio.okd_installer.create_all \ - -e @./vars-sno.yaml -``` - -You can check when the bootstrap finished, or the Single Replica node have joined to the cluster: +- Check resources: ```bash $ KUBECONFIG=$HOME/.ansible/okd-installer/clusters/opct-sno/auth/kubeconfig oc get nodes NAME STATUS ROLES AGE VERSION ip-10-0-50-187 Ready control-plane,master,tests,worker 24m v1.25.4+77bec7a +$ KUBECONFIG=$HOME/.ansible/okd-installer/clusters/opct-sno/auth/kubeconfig oc get co ``` -The you can destroy the bootstrap node: - -> Alternatively you can opt to remove the flag `destroy_bootstrap` to your var file +- Destroy the bootstrap node: ```bash -ansible-playbook mtulio.okd_installer.destroy_bootstrap \ - -e @./vars-sno.yaml +ansible-playbook mtulio.okd_installer.destroy_bootstrap -e @$VARS_FILE ``` ## Destroy ```bash -ansible-playbook mtulio.okd_installer.destroy_cluster \ - -e @./vars-sno.yaml -``` +ansible-playbook mtulio.okd_installer.destroy_cluster -e @$VARS_FILE +``` \ No newline at end of file diff --git a/docs/guides/AWS/index.md b/docs/guides/AWS/index.md index adea6bf..faba59a 100644 --- a/docs/guides/AWS/index.md +++ b/docs/guides/AWS/index.md @@ -1,4 +1,20 @@ -# AWS Guides +# OKD/OCP guides for Amazon Web Services (AWS) -!!! warning "Oops... TODO / WIP page" - This page is not completed! \ No newline at end of file +!!! warning "Developer Preview" + This document is available only for development preview. + +Available guides for OKD/OCP on Amazon Web Services (AWS): + +- [Requirements](./init.md) +- [Installing a cluster quickly on OCI with platform agnostic (None)](./installing-quickly-agnostic.md) +- [AWS Single Node Openshift/OKD (SingleReplica Topology)](./aws-sno.md) + +!!! danger "Outdated documents" + The following guides could be outdated are not working with the current version. + +Review in progress: + +- [OKD Install Guide on AWS provider with platform agnostic](./aws-agnostic.md) +- [OKD Install on AWS provider with UPI](./aws-upi.md) +- [OKD Install on AWS provider with UPI](./aws-upi-byo-network.md) +- [Install OKD/OCP cluster on AWS with Agnostic Platform (None) BYO LB](./aws-agnostic-byo-lb.md) diff --git a/docs/guides/AWS/init.md b/docs/guides/AWS/init.md new file mode 100644 index 0000000..cf7497f --- /dev/null +++ b/docs/guides/AWS/init.md @@ -0,0 +1,4 @@ +# Prerequisites AWS + +!!! warning "TODO" + Describe the prerequisites \ No newline at end of file diff --git a/docs/guides/AWS/installing-quickly-agnostic-arm.md b/docs/guides/AWS/installing-quickly-agnostic-arm.md new file mode 100644 index 0000000..fd2d628 --- /dev/null +++ b/docs/guides/AWS/installing-quickly-agnostic-arm.md @@ -0,0 +1,88 @@ +# Installing a cluster quickly on OCI with platform agnostic (None) + +The steps below describes how to validate the OpenShift cluster installed +in an agnostic installation using standard topology. + +## Prerequisites + +--8<-- "docs/modules/pre-env-creds-aws.md" + +## Setup + +--8<-- "docs/modules/pre-env-distributions.md" + +### Export the emvironment variables for cloud provider + +--8<-- "docs/modules/pre-env-aws-none.md" +--8<-- "docs/modules/pre-env-cfg.md" + +### Create the okd-installer var file + +--8<-- "docs/modules/pre-cfg-varfile.md" + +- Discovery the AMI: + +```bash +DISTRIBUTION="ocp" +RELEASE_REPO="quay.io/openshift-release-dev/ocp-release" +VERSION="4.14.0-rc.6" +#RELEASE_VERSION="${VERSION}-x86_64" +PULL_SECRET_FILE="${HOME}/.openshift/pull-secret-latest.json" + +# Provider Information +export CONFIG_PROVIDER=aws +export CONFIG_PLATFORM=none + +# Cluster Install Configuration +CLUSTER_NAME="aws-n412rc6a0" +CLUSTER_REGION=us-east-1 +CLUSTER_DOMAIN="devcluster.openshift.com" +VARS_FILE=./vars_${DISTRIBUTION}-${CLUSTER_NAME}.yaml + +# okd-installer config +cat < ${VARS_FILE} +provider: ${CONFIG_PROVIDER} +config_platform: ${CONFIG_PLATFORM} +cluster_name: ${CLUSTER_NAME} +config_cluster_region: ${CLUSTER_REGION} + +config_cluster_version: ${VERSION} +version: ${VERSION} + +config_default_architecture: arm64 +controlplane_instance: m6g.xlarge +compute_instance: m6g.xlarge + +cluster_profile: ha +destroy_bootstrap: no + +config_base_domain: ${CLUSTER_DOMAIN} +config_ssh_key: "$(cat ~/.ssh/openshift-dev.pub)" +config_pull_secret_file: "${PULL_SECRET_FILE}" +EOF + +# Install the clients (installer) and extract the image ID from stream information. +ansible-playbook mtulio.okd_installer.install_clients -e @$VARS_FILE + +IMAGE_ID=$(~/.ansible/okd-installer/bin/openshift-install-linux-${VERSION} coreos print-stream-json | jq -r ".architectures[\"aarch64\"].images.aws.regions[\"$CLUSTER_REGION\"].image") + +cat <> ${VARS_FILE} +custom_image_id: ${IMAGE_ID} +EOF + +# create the cluster +ansible-playbook mtulio.okd_installer.create_all \ + -e cert_max_retries=30 \ + -e cert_wait_interval_sec=60 \ + -e @$VARS_FILE +``` + +## Install + +--8<-- "docs/modules/play-create_all.md" + +--8<-- "docs/modules/play-approve_certs.md" + +## Destroy + +--8<-- "docs/modules/play-destroy_cluster.md" \ No newline at end of file diff --git a/docs/guides/AWS/installing-quickly-agnostic.md b/docs/guides/AWS/installing-quickly-agnostic.md new file mode 100644 index 0000000..87ebb67 --- /dev/null +++ b/docs/guides/AWS/installing-quickly-agnostic.md @@ -0,0 +1,42 @@ +# Installing a cluster quickly on OCI with platform agnostic (None) + +The steps below describes how to validate the OpenShift cluster installed +in an agnostic installation using standard topology. + +## Prerequisites + +--8<-- "docs/modules/pre-env-creds-aws.md" + +## Setup + +--8<-- "docs/modules/pre-env-distributions.md" + +### Export the emvironment variables for cloud provider + +--8<-- "docs/modules/pre-env-aws-none.md" +--8<-- "docs/modules/pre-env-cfg.md" + +### Create the okd-installer var file + +--8<-- "docs/modules/pre-cfg-varfile.md" + +- Discovery the AMI: + +```bash +cat < ${VARS_FILE} +# discovery AMI ID: ~/.ansible/okd-installer/bin/openshift-install-linux-4.14.0-rc.0 coreos print-stream-json | jq -r '.architectures.x86_64.images.aws.regions["us-east-1"].image' +custom_image_id: ami-0a4a3456fc86deabc +EOF +``` + + + +## Install + +--8<-- "docs/modules/play-create_all.md" + +--8<-- "docs/modules/play-approve_certs.md" + +## Destroy + +--8<-- "docs/modules/play-destroy_cluster.md" \ No newline at end of file diff --git a/docs/guides/AWS/script/installing-quickly-agnostic.md b/docs/guides/AWS/script/installing-quickly-agnostic.md new file mode 100644 index 0000000..7c9e187 --- /dev/null +++ b/docs/guides/AWS/script/installing-quickly-agnostic.md @@ -0,0 +1,29 @@ +# Installing a cluster quickly on OCI with platform agnostic (None) + +Script containing all steps described in the guide. + +## Requirements + +```bash +--8<-- "docs/modules/pre-env-creds-aws.sh" +``` + +## Install + +```bash +--8<-- "docs/modules/pre-env-distribution-ocp.sh" + +--8<-- "docs/modules/pre-env-aws-none.sh" + +--8<-- "docs/modules/pre-env-cfg.sh" + +--8<-- "docs/modules/pre-cfg-varfile.sh" + +--8<-- "docs/modules/play-create_all.sh" +``` + +## Destroy + +```bash +--8<-- "docs/modules/play-destroy_cluster.sh" +``` \ No newline at end of file diff --git a/docs/guides/OCI/hack/dev-platform-external-custom-release.md b/docs/guides/OCI/hack/dev-platform-external-custom-release.md new file mode 100644 index 0000000..540f93c --- /dev/null +++ b/docs/guides/OCI/hack/dev-platform-external-custom-release.md @@ -0,0 +1,289 @@ +# Platform External - creating a custom release to support it on 4.13 + +This guide describe how to create a custom OCP release image with minimal changes to enable Platform `External` to be considered 'external' on the `library-go` - `IsCloudProviderExternal()`, signalizing the Kubelet (MCO) and Kube Controller Manager (KCMO) flag `--cloud-provider` be external, waiting for an external CCM be deployed on install time (in this case [OCI CCM](https://github.com/oracle/oci-cloud-controller-manager)) + +This is part of a PoC to enable Platform External to install CCM on install time. All the work has been mapped on the [Enhancement Proposal 1353](https://github.com/openshift/enhancements/pull/1353). + +## Update the API + +### API + +> The minimal changes on API have been created on 4.13. It's not required for this PoC. + +References: + +- https://github.com/openshift/api/pull/1301 +- https://github.com/openshift/api/pull/1409 + +### library-go + +- Clone the Library-go + +- Make the changes: https://github.com/openshift/library-go/compare/release-4.13...mtulio:library-go:release-4.13-platexternal?expand=1#diff-478af36e9fb994fc80d37b7d2f6ae207c67d8c43b94f98f6ae3e420808958ba9R40-R41 + +- Push to your account + + +## Rebuilding KCMO + +Steps to propagate the library-go change to kube-controller-manager-operator. + +- Clone the repo https://github.com/openshift/cluster-kube-controller-manager-operator + +- Update the go.mod to use your version of library-go https://github.com/openshift/cluster-kube-controller-manager-operator/compare/release-4.13...mtulio:cluster-kube-controller-manager-operator:release-4.13-platexternal?expand=1 + +`go.mod` +``` +replace github.com/openshift/library-go => github.com/mtulio/library-go v0.0.0-20230313023417-78e409222bff +``` + +- upload your custom changes (optional) + +```bash +$ git remote -v +mtulio git@github.com:mtulio/cluster-kube-controller-manager-operator.git (fetch) +mtulio git@github.com:mtulio/cluster-kube-controller-manager-operator.git (push) +origin git@github.com:openshift/cluster-kube-controller-manager-operator.git (fetch) +$ git push --set-upstream mtulio release-4.13-platexternal -f +``` + +- Build a custom image + + +```bash +QUAY_USER=mrbraga +REPO_NAME=cluster-kube-controller-manager-operator + +podman build \ + --authfile ${PULL_SECRET} \ + -f Dockerfile.rhel7 \ + -t quay.io/${QUAY_USER}/${REPO_NAME}:latest \ + && podman push quay.io/${QUAY_USER}/${REPO_NAME}:latest + +TS=$(date +%Y%m%d%H%M) +podman tag quay.io/${QUAY_USER}/${REPO_NAME}:latest \ + "quay.io/${QUAY_USER}/${REPO_NAME}:${TS}" && \ + podman push "quay.io/${QUAY_USER}/${REPO_NAME}:${TS}" +``` + +## Building MCO + +Steps to propagate the library-go change to machine-config-operator. + +- Clone the repo https://github.com/openshift/machine-config-operator + +- Update the go.mod to use your version of library-go + +`go.mod` +``` +replace github.com/openshift/library-go => github.com/mtulio/library-go v0.0.0-20230313023417-78e409222bff +``` + +- Build a custom image + +```shell +QUAY_USER=mrbraga +REPO_NAME=machine-config-operator + +podman build -f Dockerfile.rhel7 \ + -t quay.io/${QUAY_USER}/${REPO_NAME}:latest && \ + podman push quay.io/${QUAY_USER}/${REPO_NAME}:latest + +TS=$(date +%Y%m%d%H%M) +podman tag quay.io/${QUAY_USER}/${REPO_NAME}:latest \ + "quay.io/${QUAY_USER}/${REPO_NAME}:${TS}" && \ + podman push "quay.io/${QUAY_USER}/${REPO_NAME}:${TS}" +``` + +## Building CCCMO + +Steps to propagate the library-go change to cluster-cloud-controller-manager-operator. + +- Clone the repo https://github.com/mtulio/cluster-cloud-controller-manager-operator + +- Update the go.mod to use your version of library-go + +- Build a custom image + +```bash +QUAY_USER=mrbraga +REPO_NAME=cluster-cloud-controller-manager-operator + +podman build \ + --authfile ${PULL_SECRET} \ + -f Dockerfile \ + -t quay.io/${QUAY_USER}/${REPO_NAME}:latest \ + && podman push quay.io/${QUAY_USER}/${REPO_NAME}:latest + +TS=$(date +%Y%m%d%H%M) +podman tag quay.io/${QUAY_USER}/${REPO_NAME}:latest \ + "quay.io/${QUAY_USER}/${REPO_NAME}:${TS}" && \ + podman push "quay.io/${QUAY_USER}/${REPO_NAME}:${TS}" +``` + +## Create a new release + +- Choose the base image on https://openshift-release.apps.ci.l2s4.p1.openshiftapps.com/ + +- Run the command + +```bash +VERSION_BASE="4.13.0-rc.0-x86_64" +OCP_RELEASE_BASE="quay.io/openshift-release-dev/ocp-release:${VERSION_BASE}" +CUSTOM_IMAGE_NAMESPACE="quay.io/${QUAY_USER}" +NEW_RELEASE_IMAGE="docker.io/mtulio/ocp-release" + +$(which time) -v oc adm release new -n origin \ + --server https://api.ci.openshift.org \ + -a ${PULL_SECRET} \ + --from-release ${OCP_RELEASE_BASE} \ + --to-image "${NEW_RELEASE_IMAGE}:latest" \ + machine-config-operator=${CUSTOM_IMAGE_NAMESPACE}/machine-config-operator:latest \ + cluster-kube-controller-manager-operator=${CUSTOM_IMAGE_NAMESPACE}/cluster-kube-controller-manager-operator:latest \ + cluster-cloud-controller-manager-operator=${CUSTOM_IMAGE_NAMESPACE}/cluster-cloud-controller-manager-operator:latest +``` + +- Mirror it creating custom labels to identify the customization and base image + +```bash +podman pull "${NEW_RELEASE_IMAGE}:latest" + +podman tag "${NEW_RELEASE_IMAGE}:latest" \ + "${CUSTOM_IMAGE_NAMESPACE}/ocp-release:latest" && \ + podman push "${CUSTOM_IMAGE_NAMESPACE}/ocp-release:latest" +podman tag "${NEW_RELEASE_IMAGE}:latest" \ + "${CUSTOM_IMAGE_NAMESPACE}/ocp-release:${VERSION_BASE}_platexternal-kcmo-mco-3cmo" && \ + podman push "${CUSTOM_IMAGE_NAMESPACE}/ocp-release:${VERSION_BASE}_platexternal-kcmo-mco-3cmo" +``` + +- Check if the release image `${NEW_RELEASE_IMAGE}:latest` was created + +- Use it + +```bash +OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: "quay.io/mrbraga/ocp-release:4.13.0-rc.0-x86_64_platexternal-kcmo-mco-3cmo" \ + openshift-install create cluster --dir my-install-dir/ +``` + +## Usage custom release in this collection + +### Installing 4.14 with CCM + +- OCP 4.14-nightly-patched_CMO + Platform External + OCI + CSI +```bash +CLUSTER_NAME=oci-ext108 +VARS_FILE=./vars-oci-ha_${CLUSTER_NAME}.yaml + +cat < ${VARS_FILE} +provider: oci +cluster_name: ${CLUSTER_NAME} +config_cluster_region: us-sanjose-1 + +release_image: quay.io/mrbraga/ocp-release +release_version: 4.14.0-0.nightly-2023-07-05-071214 + +config_platform: external +config_platform_spec: '{"platformName":"oci"}' + +config_installer_environment: + OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: "quay.io/mrbraga/ocp-release:4.14.0-0.nightly-2023-07-05-071214" + +config_featureset: TechPreviewNoUpgrade +config_base_domain: splat-oci.devcluster.openshift.com +config_ssh_key: "$(cat ~/.ssh/openshift-dev.pub)" +config_pull_secret_file: "${HOME}/.openshift/pull-secret-latest.json" + +cluster_profile: ha +destroy_bootstrap: no + +oci_compartment_id: ${OCI_COMPARTMENT_ID} +oci_compartment_id_dns: ${OCI_COMPARTMENT_ID_DNS} +oci_compartment_id_image: ${OCI_COMPARTMENT_ID_IMAGE} +oci_ccm_namespace: oci-cloud-controller-manager + +# Define the OS Image mirror +os_mirror: yes +os_mirror_from: stream_artifacts +os_mirror_stream: + architecture: x86_64 + artifact: openstack + format: qcow2.gz + +os_mirror_to_provider: oci +os_mirror_to_oci: + compartment_id: ${OCI_COMPARTMENT_ID_IMAGE} + bucket: rhcos-images + image_type: QCOW2 + +# Available manifest paches (runs after 'create manifest' stage) +config_patches: +- rm-capi-machines +- mc-kubelet-providerid +- deploy-oci-ccm +- deploy-oci-csi + +# MachineConfig to set the Kubelet environment. Will use this script to discover the ProviderID +cfg_patch_kubelet_providerid_script: | + PROVIDERID=\$(curl -H "Authorization: Bearer Oracle" -sL http://169.254.169.254/opc/v2/instance/ | jq -r .id); +EOF +``` + + +- OKD SCOS 4.14-nightly-patched_CMO + Platform External + OCI + CSI +```bash +CLUSTER_NAME=oci-ext107 +VARS_FILE=./vars-oci-ha_${CLUSTER_NAME}.yaml + +cat < ${VARS_FILE} +provider: oci +cluster_name: ${CLUSTER_NAME} +config_cluster_region: us-sanjose-1 + +release_image: quay.io/mrbraga/ocp-release +release_version: 4.14.0-0.nightly-2023-07-05-071214 + +config_platform: external +config_platform_spec: '{"platformName":"oci"}' + +config_installer_environment: + OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: "quay.io/mrbraga/ocp-release:4.14.0-0.nightly-2023-07-05-071214" + +config_featureset: TechPreviewNoUpgrade +config_base_domain: splat-oci.devcluster.openshift.com +config_ssh_key: "$(cat ~/.ssh/openshift-dev.pub)" +config_pull_secret_file: "${HOME}/.openshift/pull-secret-okd-fake.json" + +cluster_profile: ha +destroy_bootstrap: no + +oci_compartment_id: ${OCI_COMPARTMENT_ID} +oci_compartment_id_dns: ${OCI_COMPARTMENT_ID_DNS} +oci_compartment_id_image: ${OCI_COMPARTMENT_ID_IMAGE} +oci_ccm_namespace: oci-cloud-controller-manager + +# Define the OS Image mirror +os_mirror: yes +os_mirror_from: stream_artifacts +os_mirror_stream: + architecture: x86_64 + artifact: openstack + format: qcow2.gz + +os_mirror_to_provider: oci +os_mirror_to_oci: + compartment_id: ${OCI_COMPARTMENT_ID_IMAGE} + bucket: rhcos-images + image_type: QCOW2 + +# Available manifest paches (runs after 'create manifest' stage) +config_patches: +- rm-capi-machines +- mc-kubelet-providerid +- deploy-oci-ccm +- deploy-oci-csi + +# MachineConfig to set the Kubelet environment. Will use this script to discover the ProviderID +cfg_patch_kubelet_providerid_script: | + PROVIDERID=\$(curl -H "Authorization: Bearer Oracle" -sL http://169.254.169.254/opc/v2/instance/ | jq -r .id); +EOF +``` \ No newline at end of file diff --git a/docs/guides/OCI/index.md b/docs/guides/OCI/index.md new file mode 100644 index 0000000..3f4e236 --- /dev/null +++ b/docs/guides/OCI/index.md @@ -0,0 +1,19 @@ +# OKD/OCP guides for Oracle Cloud Infrastructure (OCI) + +!!! warning "Developer Preview" + This document is available only for development preview. + + The [PR #26](https://github.com/mtulio/ansible-collection-okd-installer/pull/26)is under development and is subject to change the whole document described under OCI guides. + +Guides for OKD/OCP on Oracle Cloud Infrastructure (OCI): + +- [Prerequisites](./prerequisites.md) +- [Installing a cluster quickly on OCI with platform agnostic (None)](./installing-quickly-agnostic.md) +- [Installing a cluster quickly on OCI with platform external (External)](./installing-quickly-external.md) +- [Installing a cluster on OCI with infrastructure customizations](./installing-customization-infra.md) +- [Installing a cluster on OCI using platform external (External) with CCM customizations](./installing-customization-external.md) +- [Installing a cluster on OCI with Assisted Installer](./installing-assisted-installer.md) +- [Setting up the registry storage with OCI Bucket](./setting-registry-storage-bucket.md) +- [Lab / Examples distributed/reused vars](./lab-examples-custom-vars.md) +- [Testing the installation with Kubernetes/OpenShift conformance test suites](./testing-opct-conformance.md) +- [hack/platform external development/building custom components in OKD](./hack/dev-platform-external-custom-release.md) \ No newline at end of file diff --git a/docs/guides/OCI/installing-assisted-installer.md b/docs/guides/OCI/installing-assisted-installer.md new file mode 100644 index 0000000..581fea1 --- /dev/null +++ b/docs/guides/OCI/installing-assisted-installer.md @@ -0,0 +1,5 @@ +> TODO + +- Describe the steps to install the infrastructure, using Assisted Installer as a config provider. Finish the work started on: + +https://github.com/mtulio/ansible-collection-okd-installer/pull/28 \ No newline at end of file diff --git a/docs/guides/OCI/installing-customization-external.md b/docs/guides/OCI/installing-customization-external.md new file mode 100644 index 0000000..21c148a --- /dev/null +++ b/docs/guides/OCI/installing-customization-external.md @@ -0,0 +1,23 @@ +> TODO: + +- describe the step-by-step to create a cluster customizing CCM manifests (using from OCI CCM repo) to deploy OKD/OCP + + +```bash +ansible-playbook mtulio.okd_installer.install_clients -e @$VARS_FILE +ansible-playbook mtulio.okd_installer.config -e mode=create-config -e @$VARS_FILE +ansible-playbook mtulio.okd_installer.config -e mode=create-manifests -e @$VARS_FILE +ansible-playbook mtulio.okd_installer.stack_network -e @$VARS_FILE +ansible-playbook mtulio.okd_installer.stack_dns -e @$VARS_FILE +ansible-playbook mtulio.okd_installer.stack_loadbalancer -e @$VARS_FILE +ansible-playbook mtulio.okd_installer.config -e mode=patch-manifests -e @$VARS_FILE +ansible-playbook mtulio.okd_installer.config -e mode=create-ignitions -e @$VARS_FILE +ansible-playbook mtulio.okd_installer.os_mirror -e @$VARS_FILE +ansible-playbook mtulio.okd_installer.create_node -e node_role=bootstrap -e @$VARS_FILE +ansible-playbook mtulio.okd_installer.create_node -e node_role=controlplane -e @$VARS_FILE +ansible-playbook mtulio.okd_installer.create_node -e node_role=compute -e @$VARS_FILE +export KUBECONFIG=${HOME}/.ansible/okd-installer/clusters/${CLUSTER_NAME}/auth/kubeconfig +oc adm certificate approve $(oc get csr -o json |jq -r '.items[] | select(.status.certificate == null).metadata.name') + +ansible-playbook mtulio.okd_installer.destroy_cluster -e @$VARS_FILE +``` \ No newline at end of file diff --git a/docs/guides/OCI/installing-customization-infra.md b/docs/guides/OCI/installing-customization-infra.md new file mode 100644 index 0000000..3dc60b9 --- /dev/null +++ b/docs/guides/OCI/installing-customization-infra.md @@ -0,0 +1,3 @@ +> TODO + +- Describe how to customize infra deployment changing default vars (inherit from AWS) diff --git a/docs/guides/OCI/installing-quickly-agnostic.md b/docs/guides/OCI/installing-quickly-agnostic.md new file mode 100644 index 0000000..de8ff3e --- /dev/null +++ b/docs/guides/OCI/installing-quickly-agnostic.md @@ -0,0 +1,273 @@ +# Install OKD/OCP on OCI using an agnostic method + +> This document is under development on https://github.com/mtulio/ansible-collection-okd-installer/pull/26 + +Install OCP/OKD Cluster on Oracle Cloud Infrastructure using agnostic installation/UPI. + +- Prerequisites +- Installing OCP + - Install the Clientes + - Option 1 - Install quickly + - Option 2 - Install step-by-stack + - Create the Install config + - Create the manifests + - Setup IAM Stack + - Setup Network Stack + - Setup DNS Stack + - Setup Load Balancer Stack + - Patch the manifests + - Create the ignitions + - Setup Compute Stack + - Setup Bootstrap + - Setup Control Plane nodes + - Setup Compute nodes + - Check/Approve the certificates +- Review the Installation +- Destroy the Cluster + +## Prerequisites + +- okd-installer Collection with [OCI dependencies installed](./prerequisites.md): +- Compartments used to launch the cluster created and exported to variable `${OCI_COMPARTMENT_ID}` +- DNS Zone place the DNS zone and exported to variable `${OCI_COMPARTMENT_ID_DNS}` +- Compartment used to store the RHCOS image exported to variable `${OCI_COMPARTMENT_ID_IMAGE}` + +Example: + +```bash +cat < ~/.oci/env +# Compartment that the cluster will be installed +OCI_COMPARTMENT_ID="" + +# Compartment that the DNS Zone is created (based domain) +OCI_COMPARTMENT_ID_DNS="" + +# Compartment that the OS Image will be created +OCI_COMPARTMENT_ID_IMAGE="" +EOF +source ~/.oci/env +``` + +- If you are using python virtual env, like me ;D, set the interpreter path: + +```bash +ANSIBLE_PYTHON_INTERPRETER=${VENV_PATH}/$VIRTUAL_ENV/bin/python3 +``` + +## Installing OpenShift/OKD + +### Create the vars file + +```bash +CLUSTER_NAME=oci-n414rc6 +VARS_FILE=./vars-oci-ha_${CLUSTER_NAME}.yaml + +ANSIBLE_PYTHON_INTERPRETER=${VENV_PATH}/$VIRTUAL_ENV/bin/python3 + +cat < ${VARS_FILE} +provider: oci +cluster_name: ${CLUSTER_NAME} + +config_cluster_region: us-ashburn-1 +config_base_domain: us-ashburn-1.splat-oci.devcluster.openshift.com + +oci_compartment_id: ${OCI_COMPARTMENT_ID} +oci_compartment_id_dns: ${OCI_COMPARTMENT_ID_DNS} +oci_compartment_id_image: ${OCI_COMPARTMENT_ID_IMAGE} + +cluster_profile: ha +destroy_bootstrap: no + +config_ssh_key: "$(cat ~/.ssh/id_rsa.pub)" +config_pull_secret_file: "${HOME}/.openshift/pull-secret-latest.json" + +config_cluster_version: 4.14.0-rc.6 +version: 4.14.0-rc.6 + +os_mirror: yes +os_mirror_from: stream_artifacts +os_mirror_stream: + architecture: x86_64 + artifact: openstack + format: qcow2.gz + +os_mirror_to_provider: oci +os_mirror_to_oci: + compartment_id: ${OCI_COMPARTMENT_ID_IMAGE} + bucket: rhcos-images + image_type: QCOW2 + +config_patches: +- rm-capi-machines +EOF +``` + +### Install the clients + +```bash +ansible-playbook mtulio.okd_installer.install_clients -e @$VARS_FILE +``` + +### Installing option 1: quickly install + +```bash +ansible-playbook mtulio.okd_installer.create_all \ + -e certs_max_retries=20 \ + -e cert_wait_interval_sec=60 \ + -e @$VARS_FILE +``` + +### Installing option 2: step-by-step + +#### Create the Installer Configuration + +Create the installation configuration: + + +```bash +ansible-playbook mtulio.okd_installer.config -e mode=create-config -e @$VARS_FILE +``` + +The rendered install-config.yaml will be available on the following path: + +- `~/.ansible/okd-installer/clusters/$CLUSTER_NAME/install-config.yaml` + +If you want to skip this part, place your own install-config.yaml on the same +path and go to the next step. + +#### Create the Installer manifests + +Create the installation configuration: + +```bash +ansible-playbook mtulio.okd_installer.config -e mode=create-manifests -e @$VARS_FILE +``` + +The manifests will be rendered and saved on the install directory: + +- `~/.ansible/okd-installer/clusters/$CLUSTER_NAME/` + +If you want to skip that part, with your manifests, you must be able to run +the `openshift-install create manifests` under the install directory, and the file +`manifests/cluster-config.yaml` is created correctly. + +The infrastructure manifest also must exist on the path: `manifests/cluster-infrastructure-02-config.yml`. + + +**After this stage, the file `$install_dir/cluster_state.json` will be created and populated with the stack results.** + +#### IAM Stack + +N/A + +> TODO: create Compartment validations + +#### Create the Network Stack + +```bash +ansible-playbook mtulio.okd_installer.stack_network -e @$VARS_FILE +``` + +#### DNS Stack + +```bash +ansible-playbook mtulio.okd_installer.stack_dns -e @$VARS_FILE +``` + +#### Load Balancer Stack + +```bash +ansible-playbook mtulio.okd_installer.stack_loadbalancer -e @$VARS_FILE +``` + +#### Config Commit + +This stage allows the user to modify the cluster configurations (manifests), +then generate the ignition files used to create the cluster. + +##### Manifest patches (pre-ign) + +In this step, the playbooks will apply any patches to the manifests, +according to the vars file `config_patches`. + +The `config_patches` are predefined tasks that will run to reach specific goals. + +If you wouldn't like to apply patches, leave the empty value `config_patches: []`. + +If you would like to apply patches manually, you can do it by changing the manifests +on the install dir. Default install dir path: `~/.ansible/okd-installer/clusters/${cluster_name}/*` + +```bash +ansible-playbook mtulio.okd_installer.config -e mode=patch-manifests -e @$VARS_FILE +``` + +##### Config generation (ignitions) + +These steps should be the last before the configuration be 'committed': + +- `create ignitions` when using `openshift-install` as the config provider + +```bash +ansible-playbook mtulio.okd_installer.config -e mode=create-ignitions -e @$VARS_FILE +``` + +#### Mirror OS boot image + +- Download the image from the URL provided by openshift-install coreos-stream + +> Example: `$ jq -r '.architectures["x86_64"].artifacts.openstack.formats["qcow2.gz"].disk.location' ~/.ansible/okd-installer/clusters/ocp-oci/coreos-stream.json` + +```bash +ansible-playbook mtulio.okd_installer.os_mirror -e @$VARS_FILE +``` + +#### Compute Stack + +##### Bootstrap node + +- Upload the bootstrap ignition to blob and Create the Bootstrap Instance + +```bash +ansible-playbook mtulio.okd_installer.create_node -e node_role=bootstrap -e @$VARS_FILE +``` + +##### Control Plane nodes + +- Create the Control Plane nodes + +```bash +ansible-playbook mtulio.okd_installer.create_node -e node_role=controlplane -e @$VARS_FILE +``` + +##### Compute/worker nodes + +- Create the Compute nodes + +```bash +ansible-playbook mtulio.okd_installer.create_node -e node_role=compute -e @$VARS_FILE +``` + +- Approve worker nodes' certificates signing requests (CSR) + +```bash +oc adm certificate approve $(oc get csr -o json |jq -r '.items[] | select(.status.certificate == null).metadata.name') + +# OR + +oc get csr -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | xargs oc adm certificate approve +``` + +## Review the installation + +```bash +export KUBECONFIG=${HOME}/.ansible/okd-installer/clusters/${cluster_name}/auth/kubeconfig + +oc get nodes +oc get co +``` + +## Destroy cluster + +```bash +ansible-playbook mtulio.okd_installer.destroy_cluster -e @$VARS_FILE +``` diff --git a/docs/guides/OCI/installing-quickly-external-arm64.md b/docs/guides/OCI/installing-quickly-external-arm64.md new file mode 100644 index 0000000..bf0bf00 --- /dev/null +++ b/docs/guides/OCI/installing-quickly-external-arm64.md @@ -0,0 +1,169 @@ +## Install a OCP cluster with ARM64 Arch on Oracle Cloud Infrastructure (OCI) with CCM + +Install an OCP cluster in OCI with Platform External as an option and OCI Cloud Controler Manager. + +## Prerequisites + +- okd-installer Collection with [OCI dependencies installed](./oci-prerequisites.md): +- Compartments used to launch the cluster created and exported to variable `${OCI_COMPARTMENT_ID}` +- DNS Zone place the DNS zone and exported to variable `${OCI_COMPARTMENT_ID_DNS}` +- Compartment used to store the RHCOS image exported to variable `${OCI_COMPARTMENT_ID_IMAGE}` + +Example: + +```bash +cat < ~/.oci/env +# Compartment that the cluster will be installed +OCI_COMPARTMENT_ID="" + +# Compartment that the DNS Zone is created (based domain) +OCI_COMPARTMENT_ID_DNS="" + +# Compartment that the OS Image will be created +OCI_COMPARTMENT_ID_IMAGE="" +EOF +source ~/.oci/env +``` + +## Setup with Platform External type and CCM + +Create the vars file for okd-installer collection: + +```bash +# MCO patch without revendor (w/o disabling FG) +CLUSTER_NAME=oci-e414rc2arm1usash1 +VARS_FILE=./vars-oci-ha_${CLUSTER_NAME}.yaml + +cat < ${VARS_FILE} +provider: oci +cluster_name: ${CLUSTER_NAME} +config_cluster_region: us-ashburn-1 + +cluster_profile: ha +destroy_bootstrap: no + +#config_base_domain: splat-oci.devcluster.openshift.com +config_base_domain: us-ashburn-1.splat-oci.devcluster.openshift.com + +config_ssh_key: "$(cat ~/.ssh/openshift-dev.pub)" +config_pull_secret_file: "${HOME}/.openshift/pull-secret-latest.json" + +config_cluster_version: 4.14.0-rc.2 +version: 4.14.0-rc.2 + +config_platform: external +config_platform_spec: '{"platformName":"oci"}' + +oci_ccm_namespace: oci-cloud-controller-manager +oci_compartment_id: ${OCI_COMPARTMENT_ID} +oci_compartment_id_dns: ${OCI_COMPARTMENT_ID_DNS} +oci_compartment_id_image: ${OCI_COMPARTMENT_ID_IMAGE} + +# Available manifest paches (runs after 'create manifest' stage) +config_patches: +- rm-capi-machines +- mc_varlibetcd +- mc-kubelet-providerid +- deploy-oci-ccm +#- deploy-oci-csi + +# MachineConfig to set the Kubelet environment. Will use this script to discover the ProviderID +cfg_patch_kubelet_providerid_script: | + PROVIDERID=\$(curl -H "Authorization: Bearer Oracle" -sL http://169.254.169.254/opc/v2/instance/ | jq -r .id); + +# spread nodes between "AZs" +oci_availability_domains: +- gzqB:US-ASHBURN-AD-1 +- gzqB:US-ASHBURN-AD-2 +- gzqB:US-ASHBURN-AD-3 + +oci_fault_domains: +- FAULT-DOMAIN-1 +- FAULT-DOMAIN-2 +- FAULT-DOMAIN-3 + +# OCI config for ARM64 +config_default_architecture: arm64 +compute_shape: "VM.Standard.A1.Flex" +controlplane_shape: "VM.Standard.A1.Flex" +bootstrap_instance: "VM.Standard.A1.Flex" + +# Define the OS Image mirror +os_mirror: yes +os_mirror_from: stream_artifacts +os_mirror_stream: + architecture: aarch64 + artifact: openstack + format: qcow2.gz + +os_mirror_to_provider: oci +os_mirror_to_oci: + compartment_id: ${OCI_COMPARTMENT_ID_IMAGE} + bucket: rhcos-images + image_type: QCOW2 + # not supported yet, must be added for arm64 + # https://oci-ansible-collection.readthedocs.io/en/latest/collections/oracle/oci/oci_compute_image_shape_compatibility_entry_module.html#ansible-collections-oracle-oci-oci-compute-image-shape-compatibility-entry-module + compatibility_shapes: + - name: VM.Standard.A1.Flex + memory_constraints: + min_in_gbs: 4 + max_in_gbs: 128 + ocpu_constraints: + min: 2 + max: 32 +EOF +``` + +## Install the cluster + +```bash +ansible-playbook mtulio.okd_installer.create_all \ + -e cert_max_retries=30 \ + -e cert_wait_interval_sec=60 \ + -e @$VARS_FILE +``` + +### Approve certificates + +Export `KUBECONFIG`: + +```bash +export KUBECONFIG=$HOME/.ansible/okd-installer/clusters/${CLUSTER_NAME}/auth/kubeconfig +``` + +Check and Approve the certificates: +```bash +oc get csr \ + -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' \ + | xargs oc adm certificate approve +``` + +Check if the nodes joined to the cluster: + +```bash +oc get nodes +``` + +## Testing + +Setup the test environment (internal registry, labeling and taint worker node, etc): + +```bash +test_node=$(oc get nodes -l node-role.kubernetes.io/worker='' -o jsonpath='{.items[0].metadata.name}') +oc label node $test_node node-role.kubernetes.io/tests="" +oc adm taint node $test_node node-role.kubernetes.io/tests="":NoSchedule +``` + +Run the tests: + +```bash +./opct run -w &&\ + ./opct retrieve &&\ + ./opct report *.tar.gz --save-to /tmp/results --server-skip +``` + +## Destroy the cluster + +```bash +ansible-playbook mtulio.okd_installer.destroy_cluster -e @$VARS_FILE +``` \ No newline at end of file diff --git a/docs/guides/OCI/installing-quickly-external.md b/docs/guides/OCI/installing-quickly-external.md new file mode 100644 index 0000000..d5172b6 --- /dev/null +++ b/docs/guides/OCI/installing-quickly-external.md @@ -0,0 +1,170 @@ +## Install a cluster on Oracle Cloud Infrastructure (OCI) with CCM + +Install an OCP cluster in OCI with Platform External as an option and OCI Cloud Controler Manager. + +## Prerequisites + +- okd-installer Collection with [OCI dependencies installed](./prerequisites.md): +- Compartments used to launch the cluster created and exported to variable `${OCI_COMPARTMENT_ID}` +- DNS Zone place the DNS zone and exported to variable `${OCI_COMPARTMENT_ID_DNS}` +- Compartment used to store the RHCOS image exported to variable `${OCI_COMPARTMENT_ID_IMAGE}` + +Example: + +```bash +cat < ~/.oci/env +# Compartment that the cluster will be installed +OCI_COMPARTMENT_ID="" + +# Compartment that the DNS Zone is created (based domain) +OCI_COMPARTMENT_ID_DNS="" + +# Compartment that the OS Image will be created +OCI_COMPARTMENT_ID_IMAGE="" +EOF +source ~/.oci/env +``` + +- If you are using python virtual env, like me ;D, set the interpreter path: + +```bash +ANSIBLE_PYTHON_INTERPRETER=${VENV_PATH}/$VIRTUAL_ENV/bin/python3 +``` + +## Setup with Platform External type and CCM + +Create the vars file for okd-installer collection: + +!!! warning "Ensure variables are defined" + Make sure all variables is defined, otherwise you may get unexpected failures. + ```sh + echo -e "OCI_COMPARTMENT_ID=${OCI_COMPARTMENT_ID}" + echo -e "OCI_COMPARTMENT_ID_DNS=${OCI_COMPARTMENT_ID_DNS}" + echo -e "OCI_COMPARTMENT_ID_IMAGE=${OCI_COMPARTMENT_ID_IMAGE}" + ``` + +```bash +CLUSTER_NAME=oci-e414rc7v1 +VARS_FILE=./vars-oci-ha_${CLUSTER_NAME}.yaml + +# if you are using python virtual env, like me ;D, set the interpreter path: +ANSIBLE_PYTHON_INTERPRETER=${VENV_PATH}/$VIRTUAL_ENV/bin/python3 + +cat < ${VARS_FILE} +provider: oci +cluster_name: ${CLUSTER_NAME} + +config_cluster_region: us-ashburn-1 +config_base_domain: us-ashburn-1.splat-oci.devcluster.openshift.com + +oci_compartment_id: ${OCI_COMPARTMENT_ID} +oci_compartment_id_dns: ${OCI_COMPARTMENT_ID_DNS} +oci_compartment_id_image: ${OCI_COMPARTMENT_ID_IMAGE} + +cluster_profile: ha +destroy_bootstrap: no + +config_ssh_key: "$(cat ~/.ssh/id_rsa.pub)" +config_pull_secret_file: "${HOME}/.openshift/pull-secret-latest.json" + +config_cluster_version: 4.14.0-rc.7 +version: 4.14.0-rc.7 + +# Platform External setup +config_platform: external +config_platform_spec: '{"platformName":"oci"}' + +# Available manifest paches (runs after 'create manifest' stage) +config_patches: +- rm-capi-machines +- mc-kubelet-providerid +- deploy-oci-ccm +#- deploy-oci-csi + +# MachineConfig to set the Kubelet environment. Will use this script to discover the ProviderID +cfg_patch_kubelet_providerid_script: | + PROVIDERID=\$(curl -H "Authorization: Bearer Oracle" -sL http://169.254.169.254/opc/v2/instance/ | jq -r .id); + +oci_ccm_namespace: oci-cloud-controller-manager + +# Define the OS Image mirror +os_mirror: yes +os_mirror_from: stream_artifacts +os_mirror_stream: + architecture: x86_64 + artifact: openstack + format: qcow2.gz + +os_mirror_to_provider: oci +os_mirror_to_oci: + compartment_id: ${OCI_COMPARTMENT_ID_IMAGE} + bucket: rhcos-images + image_type: QCOW2 + +# spread nodes between "AZs" +oci_availability_domains: +- gzqB:US-ASHBURN-AD-1 +- gzqB:US-ASHBURN-AD-2 +- gzqB:US-ASHBURN-AD-3 + +oci_fault_domains: +- FAULT-DOMAIN-1 +- FAULT-DOMAIN-2 +- FAULT-DOMAIN-3 +EOF +``` + + +## Install the cluster + +```bash +ansible-playbook mtulio.okd_installer.create_all \ + -e cert_max_retries=30 \ + -e cert_wait_interval_sec=60 \ + -e @$VARS_FILE +``` + +### Approve certificates + +Export `KUBECONFIG`: + +```bash +export KUBECONFIG=$HOME/.ansible/okd-installer/clusters/${CLUSTER_NAME}/auth/kubeconfig +``` + +Check and Approve the certificates: +```bash +oc get csr \ + -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' \ + | xargs oc adm certificate approve +``` + +Check if the nodes joined to the cluster: + +```bash +oc get nodes +``` + +## Testing + +Setup the test environment (internal registry, labeling and taint worker node, etc): + +```bash +ansible-playbook opct-runner/opct-run-tool-preflight.yaml -e @$VARS_FILE +``` + +Run the tests: + +> TMP note: remove the `-serial` + +```bash +~/opct/bin/opct-devel run -w --plugins-image openshift-tests-provider-cert:devel-serial &&\ + ~/opct/bin/opct-devel retrieve &&\ + ~/opct/bin/opct-devel report *.tar.gz --save-to /tmp/results --server-skip +``` + +## Destroy the cluster + +```bash +ansible-playbook mtulio.okd_installer.destroy_cluster -e @$VARS_FILE +``` \ No newline at end of file diff --git a/docs/guides/OCI/lab-examples-custom-vars.md b/docs/guides/OCI/lab-examples-custom-vars.md new file mode 100644 index 0000000..18875ae --- /dev/null +++ b/docs/guides/OCI/lab-examples-custom-vars.md @@ -0,0 +1,90 @@ +# Installing in OCI with build-in examples + +## Export variables + +```bash +export OKD_CONFIG_BASE_DOMAIN="" +export OCI_COMPARTMENT_ID="" +export OCI_COMPARTMENT_ID_DNS="" +export OCI_COMPARTMENT_ID_IMAGE="" +export OS_MIRROR_IMAGE_BUCKET_NAME="rhcos-images" +``` + +### Default vars + + +## Installing + + +### Installing a cluster on OCI with Platform Agnostic/None + +> TODO + +```bash +ansible-playbook examples/create-cluster.yaml \ + -e cluster_name=name \ + -e @./examples/vars/common.yaml \ + -e @./examples/vars/oci/common.yaml \ + -e @./examples/vars/oci/ha-platform-none.yaml +``` + +### Installing a cluster on OCI with Platform Agnostic/None with CSI Driver + +```bash +ansible-playbook examples/create-cluster.yaml \ + -e cluster_name=name \ + -e @./examples/vars/common.yaml \ + -e @./examples/vars/oci/common.yaml \ + -e @./examples/vars/oci/ha-platform-none-csi.yaml +``` + +### Installing a cluster on OCI with Platform External + +```bash +ansible-playbook examples/create-cluster.yaml \ + -e cluster_name=name \ + -e @./examples/vars/common.yaml \ + -e @./examples/vars/oci/common.yaml \ + -e @./examples/vars/oci/ha-platform-external.yaml +``` + +### Installing a cluster on OCI with Platform External with CCM + +```bash +ansible-playbook examples/create-cluster.yaml \ + -e cluster_name=name \ + -e @./examples/vars/common.yaml \ + -e @./examples/vars/oci/common.yaml \ + -e @./examples/vars/oci/ha-platform-external-ccm.yaml +``` + +### Installing a cluster on OCI with Platform External with CCM and CSI Driver + +```bash +ansible-playbook examples/create-cluster.yaml \ + -e cluster_name=name \ + -e @./examples/vars/common.yaml \ + -e @./examples/vars/oci/common.yaml \ + -e @./examples/vars/oci/ha-platform-external-ccm-csi.yaml +``` + +### Installing a cluster on OCI with Platform External with CSI Driver + +> TODO: OCI CSI Driver can be installed in Platform None with manual changes + + + +### Destroy a cluster + +```bash +ansible-playbook mtulio.okd_installer.destroy_cluster \ + -e cluster_name=name +``` \ No newline at end of file diff --git a/docs/guides/OCI/prerequisites.md b/docs/guides/OCI/prerequisites.md new file mode 100644 index 0000000..b93d3ca --- /dev/null +++ b/docs/guides/OCI/prerequisites.md @@ -0,0 +1,118 @@ +# Prerequisites OCI (PoC) + +The steps described on this document can be changed from the final version. + +The goal is to quickly setup the PoC environment installing all the dependencies to deploy a cluster in Oracle Cloud Infrastructure - official Collection `oracle.oci`, setup identities to use the CLI/SDK, etc. + +### Setup Ansible project + +> This steps should be made only when OCI provider is under development in the branch `feat-added-provider-oci`. + +- Setup the ansible workdir (optional, you can use the defaults except the `collections_path`) + +```bash +cat < ansible.cfg +[defaults] +inventory = ./inventories +collections_path=./collections +callbacks_enabled=ansible.posix.profile_roles,ansible.posix.profile_tasks +hash_behavior=merge + +[inventory] +enable_plugins = yaml, ini + +# https://docs.ansible.com/ansible/latest/collections/ansible/posix/profile_tasks_callback.html +[callback_profile_tasks] +task_output_limit=25 +sort_order=descending +EOF +``` + +- Create a virtual env + +> Tested in Python 3.9 and 3.10 + +```bash +python3.9 -m venv ./.oci +source ./.oci/bin/activate +``` + +- Get the latest (under development) okd-installer collection with OCI modules: + +> https://github.com/mtulio/ansible-collection-okd-installer/pull/26 + +```bash +git clone -b feat-added-provider-oci --recursive \ + git@github.com:mtulio/ansible-collection-okd-installer.git \ + collections/ansible_collections/mtulio/okd_installer +``` + +- Install the dependencies: + +```bash +pip install -Ur collections/ansible_collections/mtulio/okd_installer/requirements.txt +ansible-galaxy collection install --upgrade -r collections/ansible_collections/mtulio/okd_installer/requirements.yml +``` + +- Check if the SDK is installed: + +```bash +$ pip freeze | grep oci +oci==2.112.4 +``` + +- Check if the collection is present: + + +```bash +$ ansible-galaxy collection list |grep -E "(okd_installer|^oracle)" +mtulio.okd_installer 0.0.0-latest +oracle.oci 4.33.0 +``` + +### Setup OCI credentials + +- See [API Key Authentication](https://docs.oracle.com/en-us/iaas/tools/oci-ansible-collection/4.11.0/guides/authentication.html#api-key-authentication): +- See https://docs.oracle.com/en-us/iaas/Content/API/Concepts/apisigningkey.htm#two + +Make sure your credentials have been set correctly on the file `~/.oci/config` and you can use the OCI ansible collection: + +- Get the User ID from the documentation + +> you may need to adapt if there are more than one profile + +```bash +export oci_user_id=$(grep ^user ~/.oci/config | awk -F '=' '{print$2}') +``` + +- Retrieve facts from the user + +```bash +ansible localhost \ + -m oracle.oci.oci_identity_user_facts \ + -a user_id=${oci_user_id} +``` + +!!! warning "Python Virtual Environment" + If you are getting errors like `oci python sdk required for this module`, even it is already installed from previews steps, + and you are using Python Virtual Environment, you must point the `ansible_python_interpreter` to the python interpretar path. + + For example: `ansible localhost -m oracle.oci.oci_identity_user_facts -a user_id=${oci_user_id} -e ansible_python_interpreter=$VIRTUAL_ENV/bin/python3` + +Ansible should return the user attributes, otherwise check your credentials. + +## Export the Compartment used to deploy the cluster + +```bash +cat < ~/.oci/env +# Compartment that the cluster will be installed +OCI_COMPARTMENT_ID="" + +# Compartment that the DNS Zone is created (based domain) +OCI_COMPARTMENT_ID_DNS="" + +# Compartment that the OS Image will be created +OCI_COMPARTMENT_ID_IMAGE="" +EOF +source ~/.oci/env +``` \ No newline at end of file diff --git a/docs/guides/OCI/setting-registry-storage-bucket.md b/docs/guides/OCI/setting-registry-storage-bucket.md new file mode 100644 index 0000000..859f4dd --- /dev/null +++ b/docs/guides/OCI/setting-registry-storage-bucket.md @@ -0,0 +1,14 @@ +# OCI Image Registry - Use S3 compatibility URL for persistent storage + +> WIP + +https://docs.okd.io/latest/registry/configuring_registry_storage/configuring-registry-storage-aws-user-infrastructure.html + +Steps to use the OCI S3 Compatibility API to set the persistent storage for the OpenShift Image Registry with OCI Bucket service. + +Steps: + +- Create access Key +- Create the secret used by image-registry +- Edit the image registry object adding the s3 configuration +- Test it \ No newline at end of file diff --git a/docs/guides/OCI/testing-opct-conformance.md b/docs/guides/OCI/testing-opct-conformance.md new file mode 100644 index 0000000..4466f9a --- /dev/null +++ b/docs/guides/OCI/testing-opct-conformance.md @@ -0,0 +1,51 @@ +## OPCT setup + +- Create the OPCT [dedicated] node + +> https://redhat-openshift-ecosystem.github.io/provider-certification-tool/user/#option-a-command-line + +```bash +# Create OPCT node +ansible-playbook mtulio.okd_installer.create_node \ + -e node_role=generic -e sufix=opct-01 -e cpu=4 -e mem=16 \ + -e subnet=private -e nsg=compute \ + -e @$VAR_FILE +``` + +- OPCT dedicated node setup + +```bash + +oc label node opct-01.priv.ocp.oraclevcn.com node-role.kubernetes.io/tests="" +oc adm taint node opct-01.priv.ocp.oraclevcn.com node-role.kubernetes.io/tests="":NoSchedule + +# Set the OPCT requirements (registry, labels, wait-for COs stable) +ansible-playbook ../opct/hack/opct-runner/opct-run-tool-preflight.yaml -e @$VAR_FILE -D + +``` + +- OPCT regular + +```bash +# Run OPCT +~/opct/bin/openshift-provider-cert-linux-amd64-v0.3.0 run -w + +# Get the results and explore it +~/opct/bin/openshift-provider-cert-linux-amd64-v0.3.0 retrieve +~/opct/bin/openshift-provider-cert-linux-amd64-v0.3.0 results *.tar.gz +~/opct/bin/openshift-provider-cert-linux-amd64-v0.3.0 report *.tar.gz +``` + +- OPCT upgrade mode + +```bash +# from a cluster 4.12.1, run upgrade conformance to 4.13 +~/opct/bin/openshift-provider-cert-linux-amd64-v0.3.0 run -w \ + --mode=upgrade \ + --upgrade-to-image=$(oc adm release info 4.13.0-ec.2 -o jsonpath={.image}) + +# Get the results and explore it +~/opct/bin/openshift-provider-cert-linux-amd64-v0.3.0 retrieve +~/opct/bin/openshift-provider-cert-linux-amd64-v0.3.0 results *.tar.gz +~/opct/bin/openshift-provider-cert-linux-amd64-v0.3.0 report *.tar.gz +``` diff --git a/docs/guides/index.md b/docs/guides/index.md index 75f4cc7..f010694 100644 --- a/docs/guides/index.md +++ b/docs/guides/index.md @@ -1,4 +1,14 @@ # Guides -!!! warning "Oops... TODO / WIP page" - This page is not completed! +!!! warning "Documentation under development" + This page is under development and is subject to change quickly. + + Stay tuned for the updates. + +This section contain guides about exploring `okd-installer` for each specific cloud provider. + +To begin exploring, please see the following pages related for each provider: + +- [AWS - Amazon Web Services](./AWS) +- [OCI - Oracle Cloud Infrastructure](./OCI) +- [Developer Call: Opportunities to contribute adding new providers](./opportunities.md) \ No newline at end of file diff --git a/docs/guides/opportunities.md b/docs/guides/opportunities.md new file mode 100644 index 0000000..6e71ba7 --- /dev/null +++ b/docs/guides/opportunities.md @@ -0,0 +1,40 @@ +# Dev Call: Cloud Provider Opportunities for OKD + +Hey, are you looking for opportunities to explore OKD into other cloud providers +using okd-installer Collection? This section describes some opportunities +if you are looking for challenges! + +Here are a matrix with existing Cloud Providers with Ansible automation, or API/SDK reference +if you would like to a challenge creating new modules: + +| Provider Name | Ansible | Platform External:CCM/CSI | +| -- | -- | -- | +| Digital Ocean | [Collection](https://docs.ansible.com/ansible/latest/collections/community/digitalocean/index.html) | [CCM](https://github.com/digitalocean/digitalocean-cloud-controller-manager) / [CSI](https://github.com/digitalocean/csi-digitalocean) | +| Vultr Cloud | [Modules](https://github.com/ngine-io/ansible-collection-vultr) | [CCM](https://github.com/vultr/vultr-cloud-controller-manager) / [CSI](https://github.com/vultr/vultr-csi) | +| Hetzner Cloud | [Modules](https://github.com/ansible-collections/hetzner.hcloud) | [CCM](https://github.com/hetznercloud/hcloud-cloud-controller-manager) / [CSI](https://github.com/hetznercloud/csi-driver / Ansible modules) | +| IONOS | [Modules](https://github.com/ionos-cloud/module-ansible) | [CCM](https://github.com/23technologies/machine-controller-manager-provider-ionos) / CSI | + + + +## Existing exploration / hacking / labs + +### Digital Ocean + +Looking for Digital Ocean installations? We need contributors! =] + +Please take a look at the ongoing [PR #40](https://github.com/mtulio/ansible-collection-okd-installer/pull/40). + +### IONOS + +Looking for IONOS installations? Feel free to submit the contribution! =] + +There is an exploration[1] using Official IONOS Ansible Collection and +the okd-installer Collection. Please take a look at the [PR #9](https://github.com/mtulio/ansible-collection-okd-installer/pull/9). + +[1] https://docs.ionos.com/ansible/ \ No newline at end of file diff --git a/docs/index.md b/docs/index.md index aecde2c..8cc238a 100644 --- a/docs/index.md +++ b/docs/index.md @@ -5,7 +5,8 @@ [![](https://img.shields.io/ansible/collection/1867)](https://galaxy.ansible.com/mtulio/okd_installer) -Ansible Collection to install OKD/OpenShift clusters with customization. +Ansible Collection okd-installer allow you to keep infrastructure required to deploy +OKD/OCP as a code in non-integrated providrs or UPI installation method. - [Summary](#summary) - [Content](#content) diff --git a/docs/modules/cfg-env-distribution-okdscos.md b/docs/modules/cfg-env-distribution-okdscos.md new file mode 100644 index 0000000..6ed31d4 --- /dev/null +++ b/docs/modules/cfg-env-distribution-okdscos.md @@ -0,0 +1,15 @@ + +### Distribution OKD SCOS + +To obtain the openshift installer and client, visit releases for stable versions or the [CI Release Controller](https://amd64.origin.releases.ci.openshift.org/) for nightlies. + +Export the variables related to deployment environment: + +```bash +## Distribution information +DISTRIBUTION="okd" +RELEASE_REPO=quay.io/okd/scos-release +VERSION=4.14.0-0.okd-scos-2023-08-17-022029 +RELEASE_VERSION=$VERSION +PULL_SECRET_FILE="{{ playbook_dir }}/../tests/config/pull-secret-okd-fake.json" +``` \ No newline at end of file diff --git a/docs/modules/cfg-okdc-varfile-oci.md b/docs/modules/cfg-okdc-varfile-oci.md new file mode 100644 index 0000000..6845488 --- /dev/null +++ b/docs/modules/cfg-okdc-varfile-oci.md @@ -0,0 +1,56 @@ + + +```bash +# Platform External setup only +cat <> ${VARS_FILE} +cat < ~/.oci/env +# Compartment that the cluster will be installed +OCI_COMPARTMENT_ID="" + +# Compartment that the DNS Zone is created (based domain) +OCI_COMPARTMENT_ID_DNS="" + +# Compartment that the OS Image will be created +OCI_COMPARTMENT_ID_IMAGE="" +EOF +source ~/.oci/env + + +# Platform External setup only +cat <> ${VARS_FILE} + +oci_compartment_id: ${OCI_COMPARTMENT_ID} +oci_compartment_id_dns: ${OCI_COMPARTMENT_ID_DNS} +oci_compartment_id_image: ${OCI_COMPARTMENT_ID_IMAGE} + + +# Define the OS Image mirror +os_mirror: yes +os_mirror_from: stream_artifacts +os_mirror_stream: + architecture: x86_64 + artifact: openstack + format: qcow2.gz + +os_mirror_to_provider: oci +os_mirror_to_oci: + compartment_id: ${OCI_COMPARTMENT_ID_IMAGE} + bucket: rhcos-images + image_type: QCOW2 + + +# Available manifest paches (runs after 'create manifest' stage) +config_patches: +- rm-capi-machines +- mc-kubelet-providerid +- deploy-oci-ccm +- deploy-oci-csi + +# MachineConfig to set the Kubelet environment. Will use this script to discover the ProviderID +cfg_patch_kubelet_providerid_script: | + PROVIDERID=\$(curl -H "Authorization: Bearer Oracle" -sL http://169.254.169.254/opc/v2/instance/ | jq -r .id); + +oci_ccm_namespace: oci-cloud-controller-manager + +EOF +``` \ No newline at end of file diff --git a/docs/modules/play-approve_certs.md b/docs/modules/play-approve_certs.md new file mode 100644 index 0000000..164679a --- /dev/null +++ b/docs/modules/play-approve_certs.md @@ -0,0 +1,21 @@ +#### Approve certificates + +The `create_all` already trigger the certificates approval with one default timeout. If the nodes was not yet joined to the cluster (`oc get nodes`) or still have pending certificates (`oc get csr`) due the short delay for approval, you can call it again with longer timeout: + +- Approve the certificates (default execution) + +```bash +ansible-playbook mtulio.okd_installer.approve_certs \ + -e provider=${CONFIG_PROVIDER} \ + -e cluster_name=${CONFIG_CLUSTER_NAME} +``` + +- Change the intervals to check (example 5 minutes) + +```bash +ansible-playbook mtulio.okd_installer.approve_certs \ + -e provider=${CONFIG_PROVIDER} \ + -e cluster_name=${CONFIG_CLUSTER_NAME} \ + -e certs_max_retries=3 \ + -e cert_wait_interval_sec=10 +``` \ No newline at end of file diff --git a/docs/modules/play-create_all.md b/docs/modules/play-create_all.md new file mode 100644 index 0000000..f64687a --- /dev/null +++ b/docs/modules/play-create_all.md @@ -0,0 +1,9 @@ + +### Install the cluster + +```bash +ansible-playbook mtulio.okd_installer.create_all \ + -e cert_max_retries=30 \ + -e cert_wait_interval_sec=60 \ + -e @$VARS_FILE +``` \ No newline at end of file diff --git a/docs/modules/play-create_all.sh b/docs/modules/play-create_all.sh new file mode 100644 index 0000000..f8a306d --- /dev/null +++ b/docs/modules/play-create_all.sh @@ -0,0 +1,4 @@ +ansible-playbook mtulio.okd_installer.create_all \ + -e cert_max_retries=30 \ + -e cert_wait_interval_sec=60 \ + -e @$VARS_FILE \ No newline at end of file diff --git a/docs/modules/play-destroy_cluster.md b/docs/modules/play-destroy_cluster.md new file mode 100644 index 0000000..f706ac8 --- /dev/null +++ b/docs/modules/play-destroy_cluster.md @@ -0,0 +1,5 @@ +### Destroy cluster + +```bash +--8<-- "docs/modules/play-destroy_cluster.sh" +``` \ No newline at end of file diff --git a/docs/modules/play-destroy_cluster.sh b/docs/modules/play-destroy_cluster.sh new file mode 100644 index 0000000..b33373a --- /dev/null +++ b/docs/modules/play-destroy_cluster.sh @@ -0,0 +1 @@ +ansible-playbook mtulio.okd_installer.destroy_cluster -e @$VARS_FILE \ No newline at end of file diff --git a/docs/modules/pre-cfg-varfile-external.md b/docs/modules/pre-cfg-varfile-external.md new file mode 100644 index 0000000..9b765e6 --- /dev/null +++ b/docs/modules/pre-cfg-varfile-external.md @@ -0,0 +1,6 @@ + +- okd-installer configuratoin for external platform type: + +```bash +--8<-- "docs/modules/pre-cfg-varfile-external.sh" +``` \ No newline at end of file diff --git a/docs/modules/pre-cfg-varfile-external.sh b/docs/modules/pre-cfg-varfile-external.sh new file mode 100644 index 0000000..41f8ca1 --- /dev/null +++ b/docs/modules/pre-cfg-varfile-external.sh @@ -0,0 +1,29 @@ +# Platform External setup only +cat << EOF >> ${VARS_FILE} + +# Define the OS Image mirror +os_mirror: yes +os_mirror_from: stream_artifacts +os_mirror_stream: + architecture: x86_64 + artifact: openstack + format: qcow2.gz + +os_mirror_to_provider: oci +os_mirror_to_oci: + compartment_id: ${OCI_COMPARTMENT_ID_IMAGE} + bucket: rhcos-images + image_type: QCOW2 + +# Available manifest paches (runs after 'create manifest' stage) +config_patches: +- rm-capi-machines +- mc-kubelet-providerid +- deploy-oci-ccm +- deploy-oci-csi + +# MachineConfig to set the Kubelet environment. Will use this script to discover the ProviderID +cfg_patch_kubelet_providerid_script: | + PROVIDERID=\$(curl -H "Authorization: Bearer Oracle" -sL http://169.254.169.254/opc/v2/instance/ | jq -r .id); + +oci_ccm_namespace: oci-cloud-controller-manager \ No newline at end of file diff --git a/docs/modules/pre-cfg-varfile.md b/docs/modules/pre-cfg-varfile.md new file mode 100644 index 0000000..b9ace88 --- /dev/null +++ b/docs/modules/pre-cfg-varfile.md @@ -0,0 +1,6 @@ + +- Create the basic configuration for okd-installer: + +```bash +--8<-- "docs/modules/pre-cfg-varfile.sh" +``` diff --git a/docs/modules/pre-cfg-varfile.sh b/docs/modules/pre-cfg-varfile.sh new file mode 100644 index 0000000..dfd8bc9 --- /dev/null +++ b/docs/modules/pre-cfg-varfile.sh @@ -0,0 +1,17 @@ +# okd-installer config +cat < ${VARS_FILE} +provider: ${CONFIG_PROVIDER} +config_platform: ${CONFIG_PLATFORM} +cluster_name: ${CLUSTER_NAME} +config_cluster_region: ${CLUSTER_REGION} + +config_cluster_version: ${VERSION} +version: ${VERSION} + +cluster_profile: ha +destroy_bootstrap: no + +config_base_domain: ${CLUSTER_DOMAIN} +config_ssh_key: "$(cat ~/.ssh/openshift-dev.pub)" +config_pull_secret_file: "${PULL_SECRET_FILE}" +EOF \ No newline at end of file diff --git a/docs/modules/pre-env-aws-none.md b/docs/modules/pre-env-aws-none.md new file mode 100644 index 0000000..c6ac046 --- /dev/null +++ b/docs/modules/pre-env-aws-none.md @@ -0,0 +1,6 @@ + +- Set the Cloud Provider Name and the Platform Type (OKD/OpenShift): + +```bash +--8<-- "docs/modules/pre-env-aws-none.sh" +``` \ No newline at end of file diff --git a/docs/modules/pre-env-aws-none.sh b/docs/modules/pre-env-aws-none.sh new file mode 100644 index 0000000..8016a96 --- /dev/null +++ b/docs/modules/pre-env-aws-none.sh @@ -0,0 +1,3 @@ +# Provider Information +export CONFIG_PROVIDER=aws +export CONFIG_PLATFORM=none \ No newline at end of file diff --git a/docs/modules/pre-env-cfg.md b/docs/modules/pre-env-cfg.md new file mode 100644 index 0000000..1d92893 --- /dev/null +++ b/docs/modules/pre-env-cfg.md @@ -0,0 +1,6 @@ + +- Cluster configuration: + +```bash +--8<-- "docs/modules/pre-env-cfg.sh" +``` \ No newline at end of file diff --git a/docs/modules/pre-env-cfg.sh b/docs/modules/pre-env-cfg.sh new file mode 100644 index 0000000..4233e33 --- /dev/null +++ b/docs/modules/pre-env-cfg.sh @@ -0,0 +1,4 @@ +# Cluster Install Configuration +CLUSTER_NAME="mycluster" +CLUSTER_REGION=us-east-1 +CLUSTER_DOMAIN="aws.example.com" \ No newline at end of file diff --git a/docs/modules/pre-env-creds-aws.md b/docs/modules/pre-env-creds-aws.md new file mode 100644 index 0000000..efaee92 --- /dev/null +++ b/docs/modules/pre-env-creds-aws.md @@ -0,0 +1,6 @@ + +- AWS Credentials used by CLI: + +```bash +--8<-- "docs/modules/pre-env-creds-aws.sh" +``` \ No newline at end of file diff --git a/docs/modules/pre-env-creds-aws.sh b/docs/modules/pre-env-creds-aws.sh new file mode 100644 index 0000000..5c43bbf --- /dev/null +++ b/docs/modules/pre-env-creds-aws.sh @@ -0,0 +1,4 @@ +# AWS Credentials +AWS_ACCESS_KEY_ID="AK..." +AWS_SECRET_ACCESS_KEY="[superSecret]" +AWS_DEFAULT_REGION="${CLUSTER_REGION}" \ No newline at end of file diff --git a/docs/modules/pre-env-distribution-ocp.md b/docs/modules/pre-env-distribution-ocp.md new file mode 100644 index 0000000..a632607 --- /dev/null +++ b/docs/modules/pre-env-distribution-ocp.md @@ -0,0 +1,5 @@ +- **OpenShift**: + +```bash +--8<-- "docs/modules/pre-env-distribution-ocp.sh" +``` \ No newline at end of file diff --git a/docs/modules/pre-env-distribution-ocp.sh b/docs/modules/pre-env-distribution-ocp.sh new file mode 100644 index 0000000..0f3289b --- /dev/null +++ b/docs/modules/pre-env-distribution-ocp.sh @@ -0,0 +1,5 @@ +DISTRIBUTION="ocp" +RELEASE_REPO="quay.io/openshift-release-dev/ocp-release" +VERSION="4.14.0-rc.2" +RELEASE_VERSION="${VERSION}-x86_64" +PULL_SECRET_FILE="${HOME}/.openshift/pull-secret-latest.json" \ No newline at end of file diff --git a/docs/modules/pre-env-distribution-okd-fcos.md b/docs/modules/pre-env-distribution-okd-fcos.md new file mode 100644 index 0000000..98a5a9f --- /dev/null +++ b/docs/modules/pre-env-distribution-okd-fcos.md @@ -0,0 +1,5 @@ +- **OKD with FCOS**: + +```bash +--8<-- "docs/modules/pre-env-distribution-okd-fcos.sh" +``` \ No newline at end of file diff --git a/docs/modules/pre-env-distribution-okd-fcos.sh b/docs/modules/pre-env-distribution-okd-fcos.sh new file mode 100644 index 0000000..5c4776e --- /dev/null +++ b/docs/modules/pre-env-distribution-okd-fcos.sh @@ -0,0 +1,5 @@ +DISTRIBUTION="okd" +RELEASE_REPO=quay.io/openshift/okd +VERSION=4.12.0-0.okd-2023-04-16-041331 +RELEASE_VERSION=$VERSION +PULL_SECRET_FILE="{{ playbook_dir }}/../tests/config/pull-secret-okd-fake.json" \ No newline at end of file diff --git a/docs/modules/pre-env-distribution-okd-scos.md b/docs/modules/pre-env-distribution-okd-scos.md new file mode 100644 index 0000000..14bca88 --- /dev/null +++ b/docs/modules/pre-env-distribution-okd-scos.md @@ -0,0 +1,5 @@ +- **OKD with SCOS**: + +```bash +--8<-- "docs/modules/pre-env-distribution-okd-scos.sh" +``` \ No newline at end of file diff --git a/docs/modules/pre-env-distribution-okd-scos.sh b/docs/modules/pre-env-distribution-okd-scos.sh new file mode 100644 index 0000000..facd296 --- /dev/null +++ b/docs/modules/pre-env-distribution-okd-scos.sh @@ -0,0 +1,5 @@ +DISTRIBUTION="okd" +RELEASE_REPO=quay.io/okd/scos-release +VERSION=4.13.0-0.okd-scos-2023-05-04-192252 +RELEASE_VERSION=$VERSION +PULL_SECRET_FILE="{{ playbook_dir }}/../tests/config/pull-secret-okd-fake.json" \ No newline at end of file diff --git a/docs/modules/pre-env-distributions.md b/docs/modules/pre-env-distributions.md new file mode 100644 index 0000000..6f436ae --- /dev/null +++ b/docs/modules/pre-env-distributions.md @@ -0,0 +1,9 @@ +### Select the Distribution + +> For development releases, visit the Release Controller For [OKD](https://amd64.origin.releases.ci.openshift.org/) and [OpenShift](https://openshift-release.apps.ci.l2s4.p1.openshiftapps.com/) + +--8<-- "docs/modules/pre-env-distribution-ocp.md" + +--8<-- "docs/modules/pre-env-distribution-okd-scos.md" + +--8<-- "docs/modules/pre-env-distribution-okd-fcos.md" \ No newline at end of file diff --git a/examples/create-cluster.yaml b/examples/create-cluster.yaml new file mode 100644 index 0000000..12d5b62 --- /dev/null +++ b/examples/create-cluster.yaml @@ -0,0 +1,14 @@ +--- +# Usage examples +# +# OCI Platform None/Agnostic: +# $ ansible-playbook examples/create-cluster.yaml -e cluster_name +# -e @./examples/vars/common.yaml -e @./examples/vars/oci/common.yaml +# -e @./examples/vars/oci/ha-platform-none.yaml +# + +- name: install clients + ansible.builtin.import_playbook: mtulio.okd_installer.install_clients.yaml + +- name: create cluster + ansible.builtin.import_playbook: mtulio.okd_installer.create_all.yaml \ No newline at end of file diff --git a/examples/vars/common.yaml b/examples/vars/common.yaml new file mode 100644 index 0000000..333ef5a --- /dev/null +++ b/examples/vars/common.yaml @@ -0,0 +1,8 @@ +--- +config_base_domain: "{{ ansible_env['OKD_CONFIG_BASE_DOMAIN'] }}" +config_ssh_key: "{{ lookup('file', ansible_env['HOME'] + '/.ssh/id_rsa.pub') }}" +config_pull_secret_file: "{{ ansible_env['HOME'] }}/.openshift/pull-secret-latest.json" + +version: 4.12.8 + +destroy_bootstrap: no \ No newline at end of file diff --git a/examples/vars/oci/common.yaml b/examples/vars/oci/common.yaml new file mode 100644 index 0000000..eb951b4 --- /dev/null +++ b/examples/vars/oci/common.yaml @@ -0,0 +1,21 @@ +--- + +provider: oci +config_cluster_region: us-sanjose-1 + +oci_compartment_id: "{{ ansible_env['OCI_COMPARTMENT_ID'] }}" +oci_compartment_id_dns: "{{ ansible_env['OCI_COMPARTMENT_ID_DNS'] }}" +oci_compartment_id_image: "{{ ansible_env['OCI_COMPARTMENT_ID_IMAGE'] }}" + +os_mirror: yes +os_mirror_from: stream_artifacts +os_mirror_stream: + architecture: x86_64 + artifact: openstack + format: qcow2.gz + +os_mirror_to_provider: oci +os_mirror_to_oci: + compartment_id: "{{ oci_compartment_id_image }}" + bucket: "{{ oci_image_bucket | d(ansible_env['OS_MIRROR_IMAGE_BUCKET_NAME']) }}" + image_type: QCOW2 \ No newline at end of file diff --git a/examples/vars/oci/ha-platform-external-ccm-csi.yaml b/examples/vars/oci/ha-platform-external-ccm-csi.yaml new file mode 100644 index 0000000..ab48cc5 --- /dev/null +++ b/examples/vars/oci/ha-platform-external-ccm-csi.yaml @@ -0,0 +1,21 @@ +--- +cluster_profile: ha + +version: 4.13.0-rc.0 +config_installer_environment: + OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: "quay.io/mrbraga/ocp-release:4.13.0-rc.0-x86_64_platexternal-kcmo-mco-3cmo" + +config_patches: +- rm-capi-machines +- mc-kubelet-providerid +- deploy-oci-ccm +- deploy-oci-csi +- yaml_patch + +cfg_patch_yaml_patch_specs: + ## patch infra object to create External provider + - manifest: /manifests/cluster-infrastructure-02-config.yml + patch: '{"spec":{"platformSpec":{"type":"External","external":{"platformName":"oci"}}},"status":{"platform":"External","platformStatus":{"type":"External","external":{}}}}' + +cfg_patch_kubelet_providerid_script: | + PROVIDERID=\$(curl -H "Authorization: Bearer Oracle" -sL http://169.254.169.254/opc/v2/instance/ | jq -r .id); \ No newline at end of file diff --git a/examples/vars/oci/ha-platform-external-ccm.yaml b/examples/vars/oci/ha-platform-external-ccm.yaml new file mode 100644 index 0000000..fa1d3f6 --- /dev/null +++ b/examples/vars/oci/ha-platform-external-ccm.yaml @@ -0,0 +1,20 @@ +--- +cluster_profile: ha + +version: 4.13.0-rc.0 +config_installer_environment: + OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: "quay.io/mrbraga/ocp-release:4.13.0-rc.0-x86_64_platexternal-kcmo-mco-3cmo" + +config_patches: +- rm-capi-machines +- mc-kubelet-providerid +- deploy-oci-ccm +- yaml_patch + +cfg_patch_yaml_patch_specs: + ## patch infra object to create External provider + - manifest: /manifests/cluster-infrastructure-02-config.yml + patch: '{"spec":{"platformSpec":{"type":"External","external":{"platformName":"oci"}}},"status":{"platform":"External","platformStatus":{"type":"External","external":{}}}}' + +cfg_patch_kubelet_providerid_script: | + PROVIDERID=\$(curl -H "Authorization: Bearer Oracle" -sL http://169.254.169.254/opc/v2/instance/ | jq -r .id); \ No newline at end of file diff --git a/examples/vars/oci/ha-platform-external.yaml b/examples/vars/oci/ha-platform-external.yaml new file mode 100644 index 0000000..bba75b0 --- /dev/null +++ b/examples/vars/oci/ha-platform-external.yaml @@ -0,0 +1,19 @@ +--- +cluster_profile: ha + +version: 4.13.0-rc.0 +config_installer_environment: + OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: "quay.io/mrbraga/ocp-release:4.13.0-rc.0-x86_64_platexternal-kcmo-mco-3cmo" + +config_patches: +- rm-capi-machines +- mc-kubelet-providerid +- yaml_patch + +cfg_patch_yaml_patch_specs: + ## patch infra object to create External provider + - manifest: /manifests/cluster-infrastructure-02-config.yml + patch: '{"spec":{"platformSpec":{"type":"External","external":{"platformName":"oci"}}},"status":{"platform":"External","platformStatus":{"type":"External","external":{}}}}' + +cfg_patch_kubelet_providerid_script: | + PROVIDERID=\$(curl -H "Authorization: Bearer Oracle" -sL http://169.254.169.254/opc/v2/instance/ | jq -r .id); \ No newline at end of file diff --git a/examples/vars/oci/ha-platform-none-csi.yaml b/examples/vars/oci/ha-platform-none-csi.yaml new file mode 100644 index 0000000..a21f7d6 --- /dev/null +++ b/examples/vars/oci/ha-platform-none-csi.yaml @@ -0,0 +1,6 @@ +--- +cluster_profile: ha + +config_patches: +- rm-capi-machines +- deploy-oci-csi \ No newline at end of file diff --git a/examples/vars/oci/ha-platform-none.yaml b/examples/vars/oci/ha-platform-none.yaml new file mode 100644 index 0000000..f45d765 --- /dev/null +++ b/examples/vars/oci/ha-platform-none.yaml @@ -0,0 +1,5 @@ +--- +cluster_profile: ha + +config_patches: +- rm-capi-machines \ No newline at end of file diff --git a/hack/Containerfile b/hack/Containerfile index 78a516c..90b6013 100644 --- a/hack/Containerfile +++ b/hack/Containerfile @@ -1,8 +1,17 @@ FROM quay.io/centos/centos:stream9 -ENV ANSIBLE_UNSAFE_WRITES=1 +ARG QUAY_EXPIRATION=1w +ARG TARGETARCH=amd64 +ARG TARGETPLATFORM +ARG TARGETOS=linux +LABEL quay.expires-after="${QUAY_EXPIRATION}" \ + architecture="$TARGETARCH" \ + platform="$TARGETPLATFORM" \ + os="$TARGETOS" -WORKDIR /okd-installer +ENV ANSIBLE_UNSAFE_WRITES=1 +WORKDIR /opt/okd-installer +ENV ANSIBLE_HOME=/opt/okd-installer RUN dnf install python3-pip -y \ && dnf clean all diff --git a/hack/ci/deploy.yml b/hack/ci/deploy.yml index 6ab5c83..67760a0 100644 --- a/hack/ci/deploy.yml +++ b/hack/ci/deploy.yml @@ -12,10 +12,10 @@ pre_tasks: - name: Verify none of the git submodules need updates. command: > - git submodule update --recursive --remote + git submodule update --recursive chdir={{ collection_root }} register: git_update - failed_when: git_update.stdout != '' + #failed_when: git_update.stdout != '' tags: build - name: Ensure the ~/.ansible directory exists. diff --git a/mkdocs.yaml b/mkdocs.yaml index 8de383c..86463e5 100644 --- a/mkdocs.yaml +++ b/mkdocs.yaml @@ -38,6 +38,9 @@ theme: - search.suggest - content.tabs.link + # copy clipboard + - content.code.copy + font: text: Roboto code: Roboto Mono @@ -64,31 +67,77 @@ markdown_extensions: - name: mermaid class: mermaid format: !!python/name:pymdownx.superfences.fence_code_format + # enable modules (include md files) + - pymdownx.snippets: + check_paths: true + + # copy clipboard feature (content.code.copy) + - pymdownx.highlight: + anchor_linenums: true + line_spans: __span + pygments_lang_class: true + - pymdownx.inlinehilite + - pymdownx.superfences nav: - Home: - index.md - How it works: Getting-started.md + - Guides: + - guides/index.md + - AWS: + - guides/AWS/index.md + - guides/AWS/installing-quickly-agnostic.md + - Installing SNO with Ephemeral storage: guides/AWS/aws-sno.md + - Scripts: + - guides/AWS/script/installing-quickly-agnostic.md + - "-> Review In Progress:": TODO.md + - Installing HA Topology with UPI and Platform Agnostic: guides/AWS/aws-agnostic.md + - Installing HA Topology with UPI: guides/AWS/aws-upi.md + - Installing HA Topology UPI BYO Network: guides/AWS/aws-upi-byo-network.md + - Oracle Cloud Infrastructure: + - guides/OCI/index.md + - Prerequisites: guides/OCI/prerequisites.md + - Installing a cluster quickly on OCI with platform agnostic (None): guides/OCI/installing-quickly-agnostic.md + - Installing a cluster quickly on OCI with platform external (External): guides/OCI/installing-quickly-external.md + - Installing a cluster on OCI with infrastructure customizations: guides/OCI/installing-customization-infra.md + - Installing a cluster on OCI using platform external (External) with CCM customizations: guides/OCI/installing-customization-external.md + - Installing a cluster on OCI with Assisted Installer: guides/OCI/installing-assisted-installer.md + - Setting up the registry storage with OCI Bucket: guides/OCI/setting-registry-storage-bucket.md + - Lab / Examples distributed/reused vars: guides/OCI/lab-examples-custom-vars.md + - Testing the installation with Kubernetes/OpenShift conformance test suites: guides/OCI/testing-opct-conformance.md + - hack/platform external development/building custom components in OKD: guides/OCI/hack/dev-platform-external-custom-release.md + - Dev Call - Cloud Provider Opportunities for OKD: guides/opportunities.md - Deployment: - deployment/index.md - Installation Guide: deployment/installing.md - Configurations: deployment/configuration.md - Playbooks: - deployment/playbooks/index.md - - Installing Clients: deployment/playbooks/install-clients.md - - Create Cluster: TODO.md - - Destroy Cluster: TODO.md - - Config Create: TODO.md - - Config Manifest: TODO.md - - Config Patch Manifests: TODO.md - - Config Ignitions: TODO.md - - OS Mirror: TODO.md - - Stack IAM: TODO.md - - Stack Network: TODO.md - - Stack DNS: TODO.md - - Stack Load Balancer: TODO.md - - Stack Compute: TODO.md - - Approve Certificates: TODO.md + - approve_certs: TODO.md + - config_load: TODO.md + - create_all: TODO.md + - create_node: TODO.md + - create_node_all: TODO.md + - config_dump: TODO.md + - config: + - TODO.md + - Config Manifest: TODO.md + - Config Patch Manifests: TODO.md + - Config Ignitions: TODO.md + - create_imageregistry: TODO.md + - destroy_cluster: TODO.md + - destroy_bootstrap: TODO.md + - install_clients: TODO.md + - os_mirror: TODO.md + - stack_dns: TODO.md + - stack_loadbalancer: TODO.md + - stack_iam: TODO.md + - stack_network: TODO.md + - ping: TODO.md + - var_check_required: TODO.md + - Global Vars: + - TODO.md - Roles: - deployment/roles/index.md - clients: TODO.md @@ -102,19 +151,6 @@ nav: - cloud_load_balancer: TODO.md - cloud_network: TODO.md - Integrating Provider: deployment/integrating.md - - Guides: - - guides/index.md - - AWS: - - guides/AWS/index.md - - Installing HA Topology with UPI: guides/AWS/aws-upi.md - - Installing HA Topology with UPI and Platform Agnostic: guides/AWS/aws-agnostic.md - - Installing SNO with Ephemeral storage: guides/AWS/aws-sno.md - - Installing HA Topology UPI BYO Network: guides/AWS/aws-upi-byo-network.md - # - Digital Ocean: TODO.md - # - Oracle Cloud: - # - Installing HA Topology with UPI and Platform Agnostic: TODO.md - # - Installing HA Topology with UPI and Platform External: TODO.md - # - Installing HA Topology with UPI and Platform External and CSI Driver: TODO.md #- Examples: TODO.md - Development: - development/index.md diff --git a/playbooks/create_all.yaml b/playbooks/create_all.yaml index a7f6031..f2d8e1f 100644 --- a/playbooks/create_all.yaml +++ b/playbooks/create_all.yaml @@ -9,6 +9,9 @@ ansible.builtin.set_fact: okdi_call_timer_start: "{{ ansible_date_time.date }} {{ ansible_date_time.time }}" +- name: OKD Installer | Create all | Clients install + ansible.builtin.import_playbook: install_clients.yaml + - name: OKD Installer | Create all | Config | create config ansible.builtin.import_playbook: config.yaml vars: diff --git a/playbooks/destroy_cluster.yaml b/playbooks/destroy_cluster.yaml index a3971ee..e4a83ca 100644 --- a/playbooks/destroy_cluster.yaml +++ b/playbooks/destroy_cluster.yaml @@ -76,4 +76,4 @@ ansible.builtin.debug: msg: - "start=[{{ okdi_del_timer_start | d('') }}] end=[{{ okdi_del_timer_end }}]" - - "total=[{{ ((okdi_del_timer_end | to_datetime) - (okdi_del_timer_start | to_datetime)) }}]" \ No newline at end of file + - "total=[{{ ((okdi_del_timer_end | to_datetime) - (okdi_del_timer_start | to_datetime)) }}]" diff --git a/playbooks/vars/aws/profiles/HighlyAvailable/network.yaml b/playbooks/vars/aws/profiles/HighlyAvailable/network.yaml index ca6da74..628f867 100644 --- a/playbooks/vars/aws/profiles/HighlyAvailable/network.yaml +++ b/playbooks/vars/aws/profiles/HighlyAvailable/network.yaml @@ -131,11 +131,6 @@ cloud_networks: - dest: 0.0.0.0/0 gw_type: igw - # - name: "{{ cluster_state.infra_id }}-rt-public-edge" - # routes: - # - dest: 0.0.0.0/0 - # gw_type: cagw - subnets: - name: "{{ cluster_state.infra_id }}-net-public-1a" az: us-east-1a @@ -169,34 +164,14 @@ cloud_networks: route_table: "{{ cluster_state.infra_id }}-rt-private-1c" map_public: false - # # Edge (Local Zone) subnets - # - name: "{{ cluster_state.infra_id }}-net-public-nyc-lz-1a" - # az: us-east-1-nyc-1a - # cidr: 10.0.60.0/22 - # route_table: "{{ cluster_state.infra_id }}-rt-public" - # map_public: true - - # - name: "{{ cluster_state.infra_id }}-net-private-nyc-lz-1a" - # az: us-east-1-nyc-1a - # cidr: 10.0.64.0/22 - # route_table: "{{ cluster_state.infra_id }}-rt-private-1a" - # map_public: false - - # # Edge (Wavelength) subnets - # - name: "{{ cluster_state.infra_id }}-net-public-nyc-wlz-1" - # az: us-east-1-wl1-nyc-wlz-1 - # cidr: 10.0.68.0/22 - # route_table: "{{ cluster_state.infra_id }}-rt-public-edge" - # map_public: false - - endpoint_services: - - name: s3 - service: com.amazonaws.us-east-1.s3 - route_tables: - - "{{ cluster_state.infra_id }}-rt-public" - - "{{ cluster_state.infra_id }}-rt-private-1a" - - "{{ cluster_state.infra_id }}-rt-private-1b" - - "{{ cluster_state.infra_id }}-rt-private-1c" + # endpoint_services: + # - name: s3 + # service: com.amazonaws.us-east-1.s3 + # route_tables: + # - "{{ cluster_state.infra_id }}-rt-public" + # - "{{ cluster_state.infra_id }}-rt-private-1a" + # - "{{ cluster_state.infra_id }}-rt-private-1b" + # - "{{ cluster_state.infra_id }}-rt-private-1c" # - "{{ cluster_state.infra_id }}-rt-public-edge" # - name: ec2 diff --git a/playbooks/vars/aws/profiles/HighlyAvailable/node-bootstrap.yaml b/playbooks/vars/aws/profiles/HighlyAvailable/node-bootstrap.yaml index 966bcb9..f4c72f8 100644 --- a/playbooks/vars/aws/profiles/HighlyAvailable/node-bootstrap.yaml +++ b/playbooks/vars/aws/profiles/HighlyAvailable/node-bootstrap.yaml @@ -6,7 +6,7 @@ openshift_instance_type: "{{ controlplane_instance | d('m6i.xlarge') }}" openshift_instance_profile: "{{ cluster_state.compute.iam_profile_bootstrap }}" # TODO: fix image lookup for agnostic installations #openshift_image_id: "{{ cluster_state.compute.image_id }}" -openshift_image_id: "ami-0722eb0819717090f" +openshift_image_id: "{{ custom_image_id | d('ami-0a4a3456fc86deabc') }}" openshift_subnet_name: "{{ openshift_prefix }}-net-public-1a" openshift_security_groups: - "{{ openshift_prefix }}-bootstrap-sg" diff --git a/playbooks/vars/aws/profiles/HighlyAvailable/node-compute.yaml b/playbooks/vars/aws/profiles/HighlyAvailable/node-compute.yaml index d510475..80a814f 100644 --- a/playbooks/vars/aws/profiles/HighlyAvailable/node-compute.yaml +++ b/playbooks/vars/aws/profiles/HighlyAvailable/node-compute.yaml @@ -5,7 +5,7 @@ openshift_instance_type: "{{ compute_instance | d('m6i.xlarge') }}" openshift_instance_profile: "{{ cluster_state.compute.iam_profile_compute }}" # TODO: fix image lookup for agnostic installations #openshift_image_id: "{{ cluster_state.compute.image_id }}" -openshift_image_id: "ami-0722eb0819717090f" +openshift_image_id: "{{ custom_image_id | d('ami-0a4a3456fc86deabc') }}" openshift_security_groups: - "{{ openshift_prefix }}-compute-sg" openshift_tags: "{{ cluster_state.tags }}" diff --git a/playbooks/vars/aws/profiles/HighlyAvailable/node-controlplane.yaml b/playbooks/vars/aws/profiles/HighlyAvailable/node-controlplane.yaml index e672597..4427db8 100644 --- a/playbooks/vars/aws/profiles/HighlyAvailable/node-controlplane.yaml +++ b/playbooks/vars/aws/profiles/HighlyAvailable/node-controlplane.yaml @@ -4,7 +4,7 @@ openshift_instance_type: "{{ controlplane_instance | d('m6i.xlarge') }}" openshift_instance_profile: "{{ cluster_state.compute.iam_profile_controlplane }}" # TODO: fix image lookup for agnostic installations #openshift_image_id: "{{ custom_image_id |d(cluster_state.compute.image_id) }}" -openshift_image_id: "ami-0722eb0819717090f" +openshift_image_id: "{{ custom_image_id | d('ami-0a4a3456fc86deabc') }}" openshift_security_groups: - "{{ openshift_prefix }}-bootstrap-sg" - "{{ openshift_prefix }}-controlplane-sg" diff --git a/playbooks/vars/aws/profiles/SingleReplica/network.yaml b/playbooks/vars/aws/profiles/SingleReplica/network.yaml index 54d13d3..e4cfc8a 100644 --- a/playbooks/vars/aws/profiles/SingleReplica/network.yaml +++ b/playbooks/vars/aws/profiles/SingleReplica/network.yaml @@ -84,7 +84,7 @@ cloud_networks: - name: "{{ cluster_state.infra_id }}-vpc" block: "{{ okd_net_default_cidr }}" provider: aws - region: "{{ provider_region }}" + region: "{{ cluster_state.region }}" security_groups: "{{ security_groups | d([]) }}" tags: "{{ cluster_state.tags | d({}) }}" @@ -109,20 +109,20 @@ cloud_networks: subnets: - name: "{{ cluster_state.infra_id }}-net-public-1a" - az: "{{ provider_region }}a" + az: "{{ cluster_state.region }}a" cidr: 10.0.16.0/22 route_table: "{{ cluster_state.infra_id }}-rt-public" map_public: yes - name: "{{ cluster_state.infra_id }}-net-private-1a" - az: "{{ provider_region }}a" + az: "{{ cluster_state.region }}a" cidr: 10.0.48.0/22 route_table: "{{ cluster_state.infra_id }}-rt-private" map_public: no endpoint_services: - name: s3 - service: "com.amazonaws.{{ provider_region }}.s3" + service: "com.amazonaws.{{ cluster_state.region }}.s3" route_tables: - "{{ cluster_state.infra_id }}-rt-public" - "{{ cluster_state.infra_id }}-rt-private" diff --git a/playbooks/vars/oci/profiles/default b/playbooks/vars/oci/profiles/default new file mode 120000 index 0000000..cca3261 --- /dev/null +++ b/playbooks/vars/oci/profiles/default @@ -0,0 +1 @@ +ha \ No newline at end of file diff --git a/playbooks/vars/oci/profiles/ha/destroy_resources.yaml b/playbooks/vars/oci/profiles/ha/destroy_resources.yaml new file mode 100644 index 0000000..d90f3e7 --- /dev/null +++ b/playbooks/vars/oci/profiles/ha/destroy_resources.yaml @@ -0,0 +1,24 @@ +--- +# placeholder +okd_cluster_destroy_instances_compartment_id: "{{ oci_compartment_id }}" +okd_cluster_destroy_instances: + - name: "{{ cluster_state.infra_id }}-bootstrap" + - name: "{{ cluster_state.infra_id }}-master-01" + - name: "{{ cluster_state.infra_id }}-master-02" + - name: "{{ cluster_state.infra_id }}-master-03" + - name: "{{ cluster_state.infra_id }}-worker-01" + - name: "{{ cluster_state.infra_id }}-worker-02" + - name: "{{ cluster_state.infra_id }}-worker-03" + wait: yes + wait_timeout: 120 + +okd_cluster_destroy_dns_compartment_id: "{{ oci_compartment_id_dns | d(oci_compartment_id) }}" +okd_cluster_destroy_dns_records: + zone_name_or_id: "{{ cluster_state.dns.base_domain }}" + patch_items_spec: + - operation: REMOVE + domain: "api.{{ cluster_state.dns.cluster_domain }}" + - operation: REMOVE + domain: "api-int.{{ cluster_state.dns.cluster_domain }}" + - operation: REMOVE + domain: "*.apps.{{ cluster_state.dns.cluster_domain }}" \ No newline at end of file diff --git a/playbooks/vars/oci/profiles/ha/dns.yaml b/playbooks/vars/oci/profiles/ha/dns.yaml new file mode 100644 index 0000000..0a9c737 --- /dev/null +++ b/playbooks/vars/oci/profiles/ha/dns.yaml @@ -0,0 +1,24 @@ +--- + +# https://docs.oracle.com/en-us/iaas/tools/oci-ansible-collection/4.12.0/collections/oracle/oci/oci_dns_zone_module.html#ansible-collections-oracle-oci-oci-dns-zone-module + +cloud_dns_zones: + # public + - name: "{{ cluster_state.dns.base_domain }}" + provider: oci + spec: + # scope: GLOBAL + # zone_type: PRIMARY + compartment_id: "{{ oci_compartment_id_dns | d(oci_compartment_id) }}" + + # OCI is using subnet's zone. + # TODO: Need to check if will not conflict with custom private zone. + # Currently the cluster is resolving the DNS using the public zone. + # private + # - name: "{{ cluster_state.dns.cluster_domain }}" + # provider: oci + # view_name: "{{ cluster_state.infra_id }}-vcn" + # spec: + # scope: PRIVATE + # zone_type: PRIMARY + # compartment_id: "{{ oci_compartment_id_dns | d(oci_compartment_id) }}" diff --git a/playbooks/vars/oci/profiles/ha/iam.yaml b/playbooks/vars/oci/profiles/ha/iam.yaml new file mode 100644 index 0000000..02eb760 --- /dev/null +++ b/playbooks/vars/oci/profiles/ha/iam.yaml @@ -0,0 +1,2 @@ +--- +# placeholder diff --git a/playbooks/vars/oci/profiles/ha/loadbalancer-router-default.yaml b/playbooks/vars/oci/profiles/ha/loadbalancer-router-default.yaml new file mode 100644 index 0000000..02eb760 --- /dev/null +++ b/playbooks/vars/oci/profiles/ha/loadbalancer-router-default.yaml @@ -0,0 +1,2 @@ +--- +# placeholder diff --git a/playbooks/vars/oci/profiles/ha/loadbalancer.yaml b/playbooks/vars/oci/profiles/ha/loadbalancer.yaml new file mode 100644 index 0000000..69aface --- /dev/null +++ b/playbooks/vars/oci/profiles/ha/loadbalancer.yaml @@ -0,0 +1,187 @@ +--- + +cloud_load_balancer_provider: oci + +# BackendSet +# https://docs.oracle.com/en-us/iaas/tools/oci-ansible-collection/4.12.0/collections/oracle/oci/oci_network_load_balancer_backend_set_module.html#ansible-collections-oracle-oci-oci-network-load-balancer-backend-set-module +# cloud_loadbalancer_targets: +# - name: "{{ cluster_state.infra_id }}-aext" +# provider: oci +# spec: +# name: "{{ cluster_state.infra_id }}-aext" +# compartment_id: "{{ oci_compartment_id }}" +# is_preserve_source: no +# ip_version: IPV4 +# #policy: TWO_TUPLE +# #backends: [] +# health_checker: +# port: 6443 +# protocol: HTTPS +# return_code: 200 +# url_path: /readyz +# interval_in_millis: 10000 +# timeout_in_millis: 3000 + + +# OCI NLB: https://docs.oracle.com/en-us/iaas/tools/oci-ansible-collection/4.12.0/collections/oracle/oci/oci_network_load_balancer_module.html#ansible-collections-oracle-oci-oci-network-load-balancer-module +cloud_loadbalancers: + - name: "{{ cluster_state.infra_id }}-nlb" + provider: oci + type: network + + # Is it supported multi-subnets? + subnet_name: "{{ cluster_state.infra_id }}-net-public" + nsg_name: "{{ cluster_state.infra_id }}-nsg-nlb" + spec: + compartment_id: "{{ oci_compartment_id }}" + display_name: "{{ cluster_state.infra_id }}-nlb" + is_private: false + is_preserve_source_destination: false + nlb_ip_version: IPV4 + #freeform_tags: "{{ cluster_state.tags }}" + +# BackendSet +# https://docs.oracle.com/en-us/iaas/tools/oci-ansible-collection/4.12.0/collections/oracle/oci/oci_network_load_balancer_backend_set_module.html#ansible-collections-oracle-oci-oci-network-load-balancer-backend-set-module + backend_set: + - provider: oci + spec: + name: "{{ cluster_state.infra_id }}-api" + is_preserve_source: false + ip_version: IPV4 + policy: FIVE_TUPLE + #backends: [] + health_checker: + port: 6443 + protocol: HTTPS + return_code: 200 + url_path: /readyz + interval_in_millis: 10000 + timeout_in_millis: 3000 + + - provider: oci + spec: + name: "{{ cluster_state.infra_id }}-mcs" + is_preserve_source: false + ip_version: IPV4 + policy: FIVE_TUPLE + #backends: [] + health_checker: + port: 22623 + protocol: HTTPS + return_code: 200 + url_path: /healthz + interval_in_millis: 10000 + timeout_in_millis: 3000 + + - provider: oci + spec: + name: "{{ cluster_state.infra_id }}-ingress-http" + is_preserve_source: false + ip_version: IPV4 + policy: FIVE_TUPLE + #backends: [] # TCP/31794 + health_checker: + port: 80 + protocol: TCP + # return_code: 200 + # url_path: /healthz + interval_in_millis: 10000 + timeout_in_millis: 3000 + + - provider: oci + spec: + name: "{{ cluster_state.infra_id }}-ingress-https" + is_preserve_source: false + ip_version: IPV4 + #policy: TWO_TUPLE + #backends: [] # TCP/32186 + health_checker: + port: 443 + protocol: TCP + # return_code: 200 + # url_path: /healthz + interval_in_millis: 10000 + timeout_in_millis: 3000 + + # https://docs.oracle.com/en-us/iaas/tools/oci-ansible-collection/4.12.0/collections/oracle/oci/oci_network_load_balancer_listener_module.html#ansible-collections-oracle-oci-oci-network-load-balancer-listener-module + listeners: + - spec: + name: "{{ cluster_state.infra_id }}-api" + default_backend_set_name: "{{ cluster_state.infra_id }}-api" + ip_version: IPV4 + port: 6443 + protocol: TCP + + - spec: + name: "{{ cluster_state.infra_id }}-mcs" + default_backend_set_name: "{{ cluster_state.infra_id }}-mcs" + ip_version: IPV4 + port: 22623 + protocol: TCP + + - spec: + name: "{{ cluster_state.infra_id }}-ingress-http" + default_backend_set_name: "{{ cluster_state.infra_id }}-ingress-http" + ip_version: IPV4 + port: 80 + protocol: TCP + + - spec: + name: "{{ cluster_state.infra_id }}-ingress-https" + default_backend_set_name: "{{ cluster_state.infra_id }}-ingress-https" + ip_version: IPV4 + port: 443 + protocol: TCP + + callbacks: + - name: register_dns + rr_ip: public + spec: + zone_name_or_id: "{{ cluster_state.dns.base_domain }}" + compartment_id: "{{ oci_compartment_id_dns | d(oci_compartment_id) }}" + scope: GLOBAL + patch_items: + - domain: "api.{{ cluster_state.dns.cluster_domain }}" + rtype: A + ttl: 300 + - domain: "*.apps.{{ cluster_state.dns.cluster_domain }}" + rtype: A + ttl: 300 + - name: register_dns + rr_ip: private + spec: + zone_name_or_id: "{{ cluster_state.dns.base_domain }}" + compartment_id: "{{ oci_compartment_id_dns | d(oci_compartment_id) }}" + scope: GLOBAL + patch_items: + - domain: "api-int.{{ cluster_state.dns.cluster_domain }}" + rtype: A + ttl: 300 + + # # private address + # - name: register_dns + # rr_ip: private + # view_name: "{{ cluster_state.infra_id }}-vcn" + # spec: + # zone_name_or_id: "{{ cluster_state.dns.cluster_domain }}" + # compartment_id: "{{ oci_compartment_id }}" + # scope: PRIVATE + # patch_items: + # - domain: "api-int.{{ cluster_state.dns.cluster_domain }}" + # rtype: A + # ttl: 300 + + # - name: register_dns + # rr_ip: public + # view_name: "{{ cluster_state.infra_id }}-vcn" + # spec: + # zone_name_or_id: "{{ cluster_state.dns.cluster_domain }}" + # compartment_id: "{{ oci_compartment_id }}" + # scope: PRIVATE + # patch_items: + # - domain: "api.{{ cluster_state.dns.cluster_domain }}" + # rtype: A + # ttl: 300 + # - domain: "*.apps.{{ cluster_state.dns.cluster_domain }}" + # rtype: A + # ttl: 300 diff --git a/playbooks/vars/oci/profiles/ha/network.yaml b/playbooks/vars/oci/profiles/ha/network.yaml new file mode 100644 index 0000000..54869c6 --- /dev/null +++ b/playbooks/vars/oci/profiles/ha/network.yaml @@ -0,0 +1,332 @@ +################################ +# AWS Networks +# AWS us-east-1: 10.0.0.0/16 (to 10.0.255.255/16) +# AWS : 10.23.0.0/16 (to 10.23.255.255/19) + +######################### + +# TODO: fix those rules to more restrictive. This is used to dev env. +# security_groups: [] + +cloud_networks: + ## OCI US San Jose 1 (HA topology) + - name: "{{ cluster_state.infra_id }}-vcn" + block: "{{ okd_net_default_cidr }}" + provider: oci + region: "{{ config_cluster_region }}" + compartment_id: "{{ oci_compartment_id }}" + + security_groups: "{{ security_groups | d([]) }}" + tags: "{{ cluster_state.tags | d({}) }}" + + spec_vcn: + dns_label: ocp + + internet_gateway: + spec: + is_enabled: yes + display_name: "{{ cluster_state.infra_id }}-igw" + + nat_gateway: + spec: + display_name: "{{ cluster_state.infra_id }}-natgw" + # route_table_name: "{{ cluster_state.infra_id }}-rt-private" + + # tags: "{{ cluster_state.tags | d({}) }}" + # wait: false + # - name: "{{ cluster_state.infra_id }}-natgw-1b" + # subnet: "{{ cluster_state.infra_id }}-net-public-1b" + # tags: "{{ cluster_state.tags | d({}) }}" + # wait: false + # - name: "{{ cluster_state.infra_id }}-natgw-1c" + # subnet: "{{ cluster_state.infra_id }}-net-public-1c" + # tags: "{{ cluster_state.tags | d({}) }}" + # wait: true + + #> TODO use generic list + route_table_public: + spec: + display_name: "{{ cluster_state.infra_id }}-rt-public" + route_rules: + - spec: + destination: "0.0.0.0/0" + destination_type: "CIDR_BLOCK" + network_entity_type: internet-gateway + network_entity_name: "{{ cluster_state.infra_id }}-igw" + + route_table_private: + spec: + display_name: "{{ cluster_state.infra_id }}-rt-private" + route_rules: + - spec: + destination: "0.0.0.0/0" + destination_type: "CIDR_BLOCK" + network_entity_type: nat-gateway + network_entity_name: "{{ cluster_state.infra_id }}-natgw" + + # # Generic list + # route_tables: + # - public: yes + # spec: + # display_name: "{{ cluster_state.infra_id }}-rt-public" + # route_rules: + # - spec: + # destination: "0.0.0.0/0" + # destination_type: "CIDR_BLOCK" + # network_entity_type: internet-gateway + # network_entity_name: "{{ cluster_state.infra_id }}-igw" + + # - public: no + # spec: + # display_name: "{{ cluster_state.infra_id }}-rt-private" + # route_rules: + # - spec: + # destination: "0.0.0.0/0" + # destination_type: "CIDR_BLOCK" + # network_entity_type: nat-gateway + # network_entity_name: "{{ cluster_state.infra_id }}-natgw" + + # create permissive security Lists to force to use NSGs + # https://docs.oracle.com/en-us/iaas/tools/oci-ansible-collection/4.12.0/collections/oracle/oci/oci_network_security_list_module.html#ansible-collections-oracle-oci-oci-network-security-list-module + security_lists: + - spec: + display_name: "{{ cluster_state.infra_id }}-seclist-public" + ingress_security_rules: [] + # - protocol: all + # source: 0.0.0.0/0 + # is_stateless: false + # source_type: CIDR_BLOCK + # description: Allow all inbound + egress_security_rules: + - destination: 0.0.0.0/0 + protocol: all + destination_type: CIDR_BLOCK + is_stateless: false + description: Allow All Outbound + + - spec: + display_name: "{{ cluster_state.infra_id }}-seclist-private" + # TODO restrict only for I/O of listeners/backendSet + ingress_security_rules: [] + # - protocol: all + # source: 0.0.0.0/0 + # is_stateless: false + # source_type: CIDR_BLOCK + # description: Allow all inbound + egress_security_rules: + - destination: 0.0.0.0/0 + protocol: all + destination_type: CIDR_BLOCK + is_stateless: false + description: Allow All Outbound + # - destination: "10.0.0.0/16" + # protocol: 6 + # tcp_options: + # destination_port_range: + # min: 6443 + # max: 6443 + # destination_type: CIDR_BLOCK + # is_stateless: false + # description: Allow API Outbound + # - destination: "10.0.0.0/16" + # protocol: 6 + # tcp_options: + # destination_port_range: + # min: 22623 + # max: 22623 + # destination_type: CIDR_BLOCK + # is_stateless: false + # description: Allow MCS Outbound + + subnets: + # Best practice create dedicated LB Subnet/Rtb? + # https://docs.oracle.com/en-us/iaas/Content/GSG/Tasks/loadbalancing.htm#Update + # Your load balancer must reside in different subnets from your application instances. This configuration allows you to keep your application instances secured in subnets with stricter access rules, while allowing public internet traffic to the load balancer in the public subnets. + + # - public: no + # spec: + # display_name: "{{ cluster_state.infra_id }}-net-private" + # cidr_block: "10.0.0.0/22" + # prohibit_public_ip_on_vnic: true + + - spec: + display_name: "{{ cluster_state.infra_id }}-net-public" + cidr_block: "10.0.0.0/20" + dns_label: pub + prohibit_internet_ingress: false + public: true + route_table_name: "{{ cluster_state.infra_id }}-rt-public" + security_list_names: + - "{{ cluster_state.infra_id }}-seclist-public" + + - spec: + display_name: "{{ cluster_state.infra_id }}-net-private" + cidr_block: "10.0.16.0/20" + dns_label: priv + prohibit_internet_ingress: true + public: false + route_table_name: "{{ cluster_state.infra_id }}-rt-private" + security_list_names: + - "{{ cluster_state.infra_id }}-seclist-private" + + + # - public: no + # security_list_names: + # - "{{ cluster_state.infra_id }}-seclist-default" + # spec: + # cidr_block: "10.0.32.0/22" + # display_name: "{{ cluster_state.infra_id }}-net-private-nodes" + # prohibit_internet_ingress: true + # prohibit_public_ip_on_vnic: true + # dns_label: nodes + + # - public: yes + # route_table_name: "{{ cluster_state.infra_id }}-rt-public-lb" + # security_list_names: + # - "{{ cluster_state.infra_id }}-seclist-lb" + # spec: + # cidr_block: "10.0.0.0/24" + # display_name: "{{ cluster_state.infra_id }}-net-public-lb" + + + # https://docs.oracle.com/en-us/iaas/tools/oci-ansible-collection/4.12.0/collections/oracle/oci/oci_network_security_list_module.html#ansible-collections-oracle-oci-oci-network-security-list-module + network_security_groups: + - spec: + display_name: "{{ cluster_state.infra_id }}-nsg-controlplane" + rules: + spec: + security_rules: + # INGRESS + - description: allow all inbound subnet + source: "10.0.0.0/16" + source_type: "CIDR_BLOCK" + direction: INGRESS + is_stateless: false + protocol: all + + - description: allow ssh + source: "0.0.0.0/0" + source_type: "CIDR_BLOCK" + direction: INGRESS + is_stateless: false + protocol: 6 + tcp_options: + destination_port_range: + min: 22 + max: 22 + + - description: allow API + source: "0.0.0.0/0" + source_type: "CIDR_BLOCK" + direction: INGRESS + is_stateless: false + protocol: 6 + tcp_options: + destination_port_range: + min: 6443 + max: 6443 + + # EGRESS + - description: allow all outbound subnet + destination: "0.0.0.0/0" + destination_type: "CIDR_BLOCK" + direction: EGRESS + is_stateless: false + protocol: all + + - spec: + display_name: "{{ cluster_state.infra_id }}-nsg-compute" + rules: + spec: + security_rules: + # INGRESS + - description: allow all inbound subnet + source: "10.0.0.0/16" + source_type: "CIDR_BLOCK" + direction: INGRESS + is_stateless: false + protocol: all + + - description: allow ssh + source: "0.0.0.0/0" + source_type: "CIDR_BLOCK" + direction: INGRESS + is_stateless: false + protocol: 6 + tcp_options: + destination_port_range: + min: 22 + max: 22 + + # EGRESS + - description: allow all outbound subnet + destination: "0.0.0.0/0" + destination_type: "CIDR_BLOCK" + direction: EGRESS + is_stateless: false + protocol: all + + - spec: + display_name: "{{ cluster_state.infra_id }}-nsg-nlb" + rules: + spec: + security_rules: + # INGRESS + - description: allow all inbound subnet + source: "10.0.0.0/16" + source_type: "CIDR_BLOCK" + direction: INGRESS + is_stateless: false + protocol: all + + - description: allow KAPI + source: "0.0.0.0/0" + source_type: "CIDR_BLOCK" + direction: INGRESS + is_stateless: false + protocol: 6 + tcp_options: + destination_port_range: + min: 6443 + max: 6443 + + - description: allow MCS + source: "0.0.0.0/0" + source_type: "CIDR_BLOCK" + direction: INGRESS + is_stateless: false + protocol: 6 + tcp_options: + destination_port_range: + min: 22623 + max: 22623 + + - description: allow IG-HTTP + source: "0.0.0.0/0" + source_type: "CIDR_BLOCK" + direction: INGRESS + is_stateless: false + protocol: 6 + tcp_options: + destination_port_range: + min: 80 + max: 80 + + - description: allow IG-HTTPS + source: "0.0.0.0/0" + source_type: "CIDR_BLOCK" + direction: INGRESS + is_stateless: false + protocol: 6 + tcp_options: + destination_port_range: + min: 443 + max: 443 + + # EGRESS + - description: allow all outbound subnet + destination: "0.0.0.0/0" + destination_type: "CIDR_BLOCK" + direction: EGRESS + is_stateless: false + protocol: all diff --git a/playbooks/vars/oci/profiles/ha/node-bootstrap.yaml b/playbooks/vars/oci/profiles/ha/node-bootstrap.yaml new file mode 100644 index 0000000..df7ba28 --- /dev/null +++ b/playbooks/vars/oci/profiles/ha/node-bootstrap.yaml @@ -0,0 +1,136 @@ +--- +_cluster_prefix: "{{ cluster_state.infra_id }}" + +# Vars used on Bootstrap +bootstrap_bucket: "{{ _cluster_prefix }}-infra" + +# Vars used on Machine/Compute Stack +_instance_type: "{{ bootstrap_instance | d('VM.Standard.E4.Flex') }}" +_instance_profile: "{{ cluster_state.compute.iam_profile_bootstrap }}" +# _image_id: "{{ custom_image_id | d(cluster_state.compute.image_id) }}" +_image_id: "{{ custom_image_id }}" +_subnet_name: "{{ _cluster_prefix }}-net-public-1a" + +_machine_suffix: '' + +## User Data template +userdata_config_source: "{{ bootstrap_bucket_signed_url }}" + +default_availability_domain: "gzqB:US-ASHBURN-AD-1" + +## Common vars used in the Stack vars +# _common: +# prefix: "{{ _cluster_prefix }}-bootstrap" +# detailed_monitoring: yes +# ebs_optimized: no +# image_id: "{{ _image_id }}" +# instance_role: "{{ _instance_profile }}" +# instance_type: "{{ _instance_type }}" +# security_groups: +# - "{{ _cluster_prefix }}-bootstrap-sg" +# - "{{ _cluster_prefix }}-controlplane-sg" +# state: present +# tags: "{{ cluster_state.tags }}" +# termination_protection: no +# volumes: +# - device_name: /dev/xvda +# ebs: +# volume_size: 128 +# volume_type: gp3 +# delete_on_termination: true +# - device_name: /dev/xvdd +# ebs: +# volume_size: 32 +# volume_type: gp3 +# delete_on_termination: true + +# vpc_subnet_name: "{{ _subnet_name }}" +# wait: yes +# wait_timeout: 500 + +# Stack Compute (Ansible Role cloud_compute) options: +compute_resources: + # + # Node role: bootstrap + # Node: bootstrap + # + - provider: oci + type: machine + # name: "{{ cluster_state.infra_id }}-bootstrap{{ _machine_suffix }}" + + # RHCOS Custom Image + image_name: "{{ cluster_state.compute.image_id }}" + image_compartment_id: "{{ oci_compartment_id_image | d(oci_compartment_id) }}" + + # Network details + vnic_subnet_name: "{{ cluster_state.infra_id }}-net-public" + network_security_group_names: + - "{{ cluster_state.infra_id }}-nsg-controlplane" + # OCI spec + spec: + state: present + compartment_id: "{{ oci_compartment_id }}" + display_name: "{{ cluster_state.infra_id }}-bootstrap{{ _machine_suffix }}" + region: "{{ config_cluster_region }}" + #freeform_tags: {'Department': 'Finance'} + #defined_tags: {'Operations': {'CostCenter': 'US'}} + availability_domain: "{{ default_availability_domain }}" + # platform_config: + # type: AMD_VM + shape: "{{ _instance_type }}" + shape_config: + ocpus: 4 + memory_in_gbs: 16 + #baseline_ocpu_utilization: BASELINE_1_8 + #nvmes: 1 + fault_domain: FAULT-DOMAIN-1 + # availability_domain: Uocm:PHX-AD-1 + agent_config: + are_all_plugins_disabled: true + + # Disk Configuration + preserve_boot_volume: false + source_details: + source_type: image + boot_volume_size_in_gbs: 120 + boot_volume_vpus_per_gb: 30 + + # that config will prevent actions like stop/start (not desired) + # preemptible_instance_config: + # preemption_action: + # preserve_boot_volume: false + # type: TERMINATE + + # Network + create_vnic_details: + display_name: "{{ cluster_state.infra_id }}-bootstrap-vnic0" + assign_public_ip: true + assign_private_dns_record: true + hostname_label: "bootstrap{{ _machine_suffix }}" + # defined_tags: {'Operations': {'CostCenter': 'US'}} + # freeform_tags: {'Department': 'Finance'} + # private_ip: private_ip_example + # skip_source_dest_check: true + # vlan_id: "ocid1.vlan.oc1..xxxxxxEXAMPLExxxxxx" + #subnet_id: "{{ machine_subnet_id }}" + #nsg_ids: "{{ machine_nsg_ids }}" + metadata: + user_data: "{{ lookup('template', 'ocp-bootstrap-user-data.j2') | to_nice_json | string | b64encode }}" + + # launch_options: + # firmware: BIOS + # boot_volume_type: PARAVIRTUALIZED + + callbacks: + - name: nlb + # nlb_name: ocp-nlb + nlb_name: "{{ cluster_state.infra_id }}-nlb" + backend_sets: + - name: "{{ cluster_state.infra_id }}-api" + port: 6443 + - name: "{{ cluster_state.infra_id }}-mcs" + port: 22623 + # - name: "6443" + # port: 6443 + # - name: "22623" + # port: 22623 diff --git a/playbooks/vars/oci/profiles/ha/node-compute.yaml b/playbooks/vars/oci/profiles/ha/node-compute.yaml new file mode 100644 index 0000000..c0e4d09 --- /dev/null +++ b/playbooks/vars/oci/profiles/ha/node-compute.yaml @@ -0,0 +1,183 @@ +--- +# Vars used on Machine/Compute Stack +_userdata_path: "{{ config_install_dir }}/worker.ign" + +_shape_config_default: + ocpus: 4 + memory_in_gbs: 16 + #baseline_ocpu_utilization: BASELINE_1_8 + #nvmes: 1 + +# Uncomment if you want to run the nodes in the same FD +#node_compute_single_fault_domain: FAULT-DOMAIN-1 +default_availability_domain: "gzqB:US-ASHBURN-AD-1" +default_fault_domain: FAULT-DOMAIN-1 +_compute_availability_domain: "{{ oci_availability_domains | d([default_availability_domain]) }}" +_compute_fault_domains: "{{ oci_fault_domains | d([default_fault_domain]) }}" + +_shape: "{{ compute_shape | d('VM.Standard.E4.Flex') }}" +_shape_config: "{{ compute_shape_config | d(_shape_config_default) }}" + +_callbacks: + - name: nlb + nlb_name: "{{ cluster_state.infra_id }}-nlb" + backend_sets: + - name: "{{ cluster_state.infra_id }}-ingress-http" + port: 80 + - name: "{{ cluster_state.infra_id }}-ingress-https" + port: 443 + +# Stack Compute (Ansible Role cloud_compute) options: +compute_resources: + # + # Node role: compute + # Node: worker-01 + # + - provider: oci + type: machine + + # RHCOS Custom Image + image_name: "{{ cluster_state.compute.image_id }}" + image_compartment_id: "{{ oci_compartment_id_image | d(oci_compartment_id) }}" + + # Network details + vnic_subnet_name: "{{ cluster_state.infra_id }}-net-private" + network_security_group_names: + - "{{ cluster_state.infra_id }}-nsg-compute" + + # OCI spec + spec: + state: present + wait: yes + compartment_id: "{{ oci_compartment_id }}" + display_name: "{{ cluster_state.infra_id }}-worker-01" + region: "{{ config_cluster_region }}" + #freeform_tags: {'Department': 'Finance'} + #defined_tags: {'Operations': {'CostCenter': 'US'}} + availability_domain: "{{ _compute_availability_domain[0] | d(default_availability_domain) }}" + fault_domain: "{{ _compute_fault_domains[0] | d(default_fault_domain) }}" + + # platform_config: + # type: AMD_VM + shape: "{{ _shape }}" + shape_config: "{{ _shape_config }}" + + agent_config: + are_all_plugins_disabled: true + + source_details: + source_type: image + boot_volume_size_in_gbs: 120 + boot_volume_vpus_per_gb: 20 + + create_vnic_details: + display_name: "{{ cluster_state.infra_id }}-worker-01-vnic0" + assign_public_ip: false + assign_private_dns_record: true + hostname_label: "worker-01" + metadata: + user_data: "{{ lookup('file', _userdata_path) | b64encode }}" + + callbacks: "{{ _callbacks }}" + + # + # Node role: compute + # Node: worker-02 + # + - provider: oci + type: machine + + # RHCOS Custom Image + image_name: "{{ cluster_state.compute.image_id }}" + image_compartment_id: "{{ oci_compartment_id_image | d(oci_compartment_id) }}" + + # Network details + vnic_subnet_name: "{{ cluster_state.infra_id }}-net-private" + network_security_group_names: + - "{{ cluster_state.infra_id }}-nsg-compute" + + # OCI spec + spec: + state: present + wait: yes + compartment_id: "{{ oci_compartment_id }}" + display_name: "{{ cluster_state.infra_id }}-worker-02" + region: "{{ config_cluster_region }}" + #freeform_tags: {'Department': 'Finance'} + #defined_tags: {'Operations': {'CostCenter': 'US'}} + availability_domain: "{{ _compute_availability_domain[1] | d(default_availability_domain) }}" + fault_domain: "{{ _compute_fault_domains[1] | d(default_fault_domain) }}" + + # platform_config: + # type: AMD_VM + shape: "{{ _shape }}" + shape_config: "{{ _shape_config }}" + + agent_config: + are_all_plugins_disabled: true + + source_details: + source_type: image + boot_volume_size_in_gbs: 120 + boot_volume_vpus_per_gb: 20 + + create_vnic_details: + display_name: "{{ cluster_state.infra_id }}-worker-02-vnic0" + assign_public_ip: false + assign_private_dns_record: true + hostname_label: "worker-02" + metadata: + user_data: "{{ lookup('file', _userdata_path) | b64encode }}" + + callbacks: "{{ _callbacks }}" + + # + # Node role: compute + # Node: worker-03 + # + - provider: oci + type: machine + + # RHCOS Custom Image + image_name: "{{ cluster_state.compute.image_id }}" + image_compartment_id: "{{ oci_compartment_id_image | d(oci_compartment_id) }}" + + # Network details + vnic_subnet_name: "{{ cluster_state.infra_id }}-net-private" + network_security_group_names: + - "{{ cluster_state.infra_id }}-nsg-compute" + + # OCI spec + spec: + state: present + wait: no + compartment_id: "{{ oci_compartment_id }}" + display_name: "{{ cluster_state.infra_id }}-worker-03" + region: "{{ config_cluster_region }}" + #freeform_tags: {'Department': 'Finance'} + #defined_tags: {'Operations': {'CostCenter': 'US'}} + availability_domain: "{{ _compute_availability_domain[2] | d(default_availability_domain) }}" + fault_domain: "{{ _compute_fault_domains[2] | d(default_fault_domain) }}" + + # platform_config: + # type: AMD_VM + shape: "{{ _shape }}" + shape_config: "{{ _shape_config }}" + + agent_config: + are_all_plugins_disabled: true + + source_details: + source_type: image + boot_volume_size_in_gbs: 120 + boot_volume_vpus_per_gb: 20 + + create_vnic_details: + display_name: "{{ cluster_state.infra_id }}-worker-03-vnic0" + assign_public_ip: false + assign_private_dns_record: true + hostname_label: "worker-03" + metadata: + user_data: "{{ lookup('file', _userdata_path) | b64encode }}" + + callbacks: "{{ _callbacks }}" \ No newline at end of file diff --git a/playbooks/vars/oci/profiles/ha/node-controlplane.yaml b/playbooks/vars/oci/profiles/ha/node-controlplane.yaml new file mode 100644 index 0000000..8fe6a68 --- /dev/null +++ b/playbooks/vars/oci/profiles/ha/node-controlplane.yaml @@ -0,0 +1,206 @@ +--- +# Local/reused Control Plane vars are prefixed with _cp + +# Defaults used in thie file +node_controlplane_userdata_path: "{{ config_install_dir }}/master.ign" + +# _platform_config: +# type: AMD_VM +_shape: "{{ controlplane_shape | d('VM.Standard.E4.Flex') }}" +_shape_config: + ocpus: 4 + memory_in_gbs: 16 + #baseline_ocpu_utilization: BASELINE_1_8 + #nvmes: 1 + +# Uncomment if you want to run the nodes in the same FD +#node_controlplane_single_fault_domain: "FAULT-DOMAIN-1" +default_availability_domain: "gzqB:US-ASHBURN-AD-1" +default_fault_domain: FAULT-DOMAIN-1 +_controlplane_availability_domain: "{{ oci_availability_domains | d([default_availability_domain]) }}" +_controlplane_fault_domains: "{{ oci_fault_domains | d([default_fault_domain]) }}" + +_agent_config: + are_all_plugins_disabled: true + +_source_details: + source_type: image + # VPU/GB + # https://docs.oracle.com/en-us/iaas/Content/Block/Concepts/blockvolumeperformance.htm + boot_volume_size_in_gbs: 512 + boot_volume_vpus_per_gb: 60 + +# Callbacks used to register the instances +_callbacks: + - name: nlb + nlb_name: "{{ cluster_state.infra_id }}-nlb" + backend_sets: + - name: "{{ cluster_state.infra_id }}-api" + port: 6443 + - name: "{{ cluster_state.infra_id }}-mcs" + port: 22623 + +# Stack Compute (Ansible Role cloud_compute) options: +compute_resources: + # + # Node role: controlplane + # Node: master-01 + # + - provider: oci + type: machine + + # RHCOS Custom Image + image_name: "{{ cluster_state.compute.image_id }}" + image_compartment_id: "{{ oci_compartment_id_image | d(oci_compartment_id) }}" + + # Network details + vnic_subnet_name: "{{ cluster_state.infra_id }}-net-private" + network_security_group_names: + - "{{ cluster_state.infra_id }}-nsg-controlplane" + + # OCI spec + spec: + state: present + wait: no + compartment_id: "{{ oci_compartment_id }}" + display_name: "{{ cluster_state.infra_id }}-master-01" + region: "{{ config_cluster_region }}" + #freeform_tags: {'Department': 'Finance'} + #defined_tags: {'Operations': {'CostCenter': 'US'}} + availability_domain: "{{ _controlplane_availability_domain[0] | d(default_availability_domain) }}" + fault_domain: "{{ _controlplane_fault_domains[0] | d(default_fault_domain) }}" + + # platform_config: "{{ _platform_config }}" + shape: "{{ _shape }}" + shape_config: "{{ _shape_config }}" + agent_config: "{{ _agent_config }}" + source_details: "{{ controlplane_source_details | d(_source_details) }}" + + create_vnic_details: + display_name: "{{ cluster_state.infra_id }}-master-01-vnic0" + assign_public_ip: false + assign_private_dns_record: true + hostname_label: "master-01" + metadata: + user_data: "{{ lookup('file', node_controlplane_userdata_path) | b64encode }}" + + # Extra volumes + # https://oci-ansible-collection.readthedocs.io/en/latest/collections/oracle/oci/oci_blockstorage_volume_module.html#ansible-collections-oracle-oci-oci-blockstorage-volume-module + # oracle.oci.oci_compute_volume_attachment + # volume_attachment_spec: + # device: /dev/sdb + # display_name: master-01-etcd-attc + # #instance_id + # is_read_only: no + # is_shareable: no + # type: service_determined + # #volume_id + # # oracle.oci.oci_blockstorage_volume + # blockstorage_volume_spec: + # # required + # #compartment_id: "ocid1.compartment.oc1..xxxxxxEXAMPLExxxxxx" + # # optional + # availability_domain: "{{ _controlplane_fault_domains[0] | d('FAULT-DOMAIN-1') }}" + # # source_details: + # # # required + # # type: blockVolumeReplica + # # id: "ocid1.resource.oc1..xxxxxxEXAMPLExxxxxx" + # display_name: master-01-etcd + # vpus_per_gb: 60 + # size_in_gbs: 60 + # is_auto_tune_enabled: true + + + ## attachments https://oci-ansible-collection.readthedocs.io/en/latest/collections/oracle/oci/oci_compute_volume_attachment_module.html#ansible-collections-oracle-oci-oci-compute-volume-attachment-module + # Register the instance using callbacks + callbacks: "{{ _callbacks }}" + + # + # Node role: controlplane + # Node: master-02 + # + - provider: oci + type: machine + + # RHCOS Custom Image + image_name: "{{ cluster_state.compute.image_id }}" + image_compartment_id: "{{ oci_compartment_id_image | d(oci_compartment_id) }}" + + # Network details + vnic_subnet_name: "{{ cluster_state.infra_id }}-net-private" + network_security_group_names: + - "{{ cluster_state.infra_id }}-nsg-controlplane" + + # OCI spec + spec: + state: present + wait: no + compartment_id: "{{ oci_compartment_id }}" + display_name: "{{ cluster_state.infra_id }}-master-02" + region: "{{ config_cluster_region }}" + #freeform_tags: {'Department': 'Finance'} + #defined_tags: {'Operations': {'CostCenter': 'US'}} + availability_domain: "{{ _controlplane_availability_domain[1] | d(default_availability_domain) }}" + fault_domain: "{{ _controlplane_fault_domains[1] | d(default_fault_domain) }}" + + # platform_config: "{{ _platform_config }}" + shape: "{{ _shape }}" + shape_config: "{{ _shape_config }}" + agent_config: "{{ _agent_config }}" + source_details: "{{ controlplane_source_details | d(_source_details) }}" + + create_vnic_details: + display_name: "{{ cluster_state.infra_id }}-master-02-vnic0" + assign_public_ip: false + assign_private_dns_record: true + hostname_label: "master-02" + metadata: + user_data: "{{ lookup('file', node_controlplane_userdata_path) | b64encode }}" + + # Register the instance using callbacks + callbacks: "{{ _callbacks }}" + + # + # Node role: controlplane + # Node: master-03 + # + - provider: oci + type: machine + + # RHCOS Custom Image + image_name: "{{ cluster_state.compute.image_id }}" + image_compartment_id: "{{ oci_compartment_id_image | d(oci_compartment_id) }}" + + # Network details + vnic_subnet_name: "{{ cluster_state.infra_id }}-net-private" + network_security_group_names: + - "{{ cluster_state.infra_id }}-nsg-controlplane" + + # OCI spec + spec: + state: present + wait: yes + compartment_id: "{{ oci_compartment_id }}" + display_name: "{{ cluster_state.infra_id }}-master-03" + region: "{{ config_cluster_region }}" + #freeform_tags: {'Department': 'Finance'} + #defined_tags: {'Operations': {'CostCenter': 'US'}} + availability_domain: "{{ _controlplane_availability_domain[2] | d(default_availability_domain) }}" + fault_domain: "{{ _controlplane_fault_domains[2] | d(default_fault_domain) }}" + + # platform_config: "{{ _platform_config }}" + shape: "{{ _shape }}" + shape_config: "{{ _shape_config }}" + agent_config: "{{ _agent_config }}" + source_details: "{{ controlplane_source_details | d(_source_details) }}" + + create_vnic_details: + display_name: "{{ cluster_state.infra_id }}-master-03-vnic0" + assign_public_ip: false + assign_private_dns_record: true + hostname_label: "master-03" + metadata: + user_data: "{{ lookup('file', node_controlplane_userdata_path) | b64encode }}" + + # Register the instance using callbacks + callbacks: "{{ _callbacks }}" diff --git a/playbooks/vars/oci/profiles/ha/node-generic.yaml b/playbooks/vars/oci/profiles/ha/node-generic.yaml new file mode 100644 index 0000000..8712ac7 --- /dev/null +++ b/playbooks/vars/oci/profiles/ha/node-generic.yaml @@ -0,0 +1,57 @@ +--- +# Vars used on Machine/Compute Stack +_userdata_path: "{{ config_install_dir }}/worker.ign" + +# Stack Compute (Ansible Role cloud_compute) options: +compute_resources: + # + # Node role: compute + # Node: opct-01 + # + - provider: oci + type: machine + + # RHCOS Custom Image + image_name: "{{ cluster_state.compute.image_id }}" + image_compartment_id: "{{ oci_compartment_id_image | d(oci_compartment_id) }}" + + # Network details + vnic_subnet_name: "{{ cluster_state.infra_id }}-net-{{ subnet | d('net-private') }}" + network_security_group_names: + - "{{ cluster_state.infra_id }}-nsg-{{ nsg | d('nsg-compute') }}" + + # OCI spec + spec: + state: present + wait: yes + compartment_id: "{{ oci_compartment_id }}" + display_name: "{{ cluster_state.infra_id }}-{{ sufix | d ('generic-01') }}" + region: "{{ config_cluster_region }}" + #freeform_tags: {'Department': 'Finance'} + #defined_tags: {'Operations': {'CostCenter': 'US'}} + availability_domain: "gzqB:US-SANJOSE-1-AD-1" + fault_domain: FAULT-DOMAIN-1 + + # platform_config: + # type: AMD_VM + shape: "VM.Standard.E4.Flex" + shape_config: + ocpus: "{{ cpu | d(2) }}" + memory_in_gbs: "{{ mem | d(8) }}" + #baseline_ocpu_utilization: BASELINE_1_8 + #nvmes: 1 + agent_config: + are_all_plugins_disabled: true + + source_details: + source_type: image + boot_volume_size_in_gbs: 120 + boot_volume_vpus_per_gb: 20 + + create_vnic_details: + display_name: "{{ cluster_state.infra_id }}-{{ sufix | d ('generic-01') }}-vnic0" + assign_public_ip: false + assign_private_dns_record: true + hostname_label: "{{ sufix | d ('generic-01') }}" + metadata: + user_data: "{{ lookup('file', _userdata_path) | b64encode }}" diff --git a/requirements.txt b/requirements.txt index a62c0f8..3710d2b 100644 --- a/requirements.txt +++ b/requirements.txt @@ -11,3 +11,6 @@ botocore # kubernetes Collection kubernetes + +# provider: Oracle Cloud/OCI +oci>=2.112.4,<2.113 diff --git a/requirements.yml b/requirements.yml index 607d422..b6b64d4 100644 --- a/requirements.yml +++ b/requirements.yml @@ -14,4 +14,9 @@ collections: - name: community.aws version: '>=5.5.0,<5.6' - name: amazon.aws - version: '>=5.5.0,<5.6' \ No newline at end of file + version: '>=5.5.0,<5.6' + +# Oracle Cloud Infrastructure Ansible Collections +# https://docs.oracle.com/en-us/iaas/tools/oci-ansible-collection/4.11.0/installation/index.html +- name: oracle.oci + version: '>=4.33.0,<4.34.0' \ No newline at end of file diff --git a/roles/bootstrap/tasks/oci.yaml b/roles/bootstrap/tasks/oci.yaml new file mode 100644 index 0000000..1213d0b --- /dev/null +++ b/roles/bootstrap/tasks/oci.yaml @@ -0,0 +1,51 @@ +--- +# https://docs.oracle.com/en-us/iaas/tools/oci-ansible-collection/4.12.0/collections/oracle/oci/oci_object_storage_object_module.html#ansible-collections-oracle-oci-oci-object-storage-object-module +# https://docs.oracle.com/en-us/iaas/tools/oci-ansible-collection/4.12.0/collections/oracle/oci/oci_object_storage_object_module.html#ansible-collections-oracle-oci-oci-object-storage-object-module + +- name: OCI | Get the namespace + oracle.oci.oci_object_storage_namespace_facts: + compartment_id: "{{ oci_compartment_id }}" + register: _objns + +- name: OCI | Create bucket + oracle.oci.oci_object_storage_bucket: + compartment_id: "{{ oci_compartment_id }}" + name: "{{ bootstrap_bucket }}" + namespace_name: "{{ _objns.namespace }}" + state: present + +# TODO: Make it indepotent +- name: OCI | Upload bootstrap.ign + oracle.oci.oci_object_storage_object: + namespace_name: "{{ _objns.namespace }}" + bucket_name: "{{ bootstrap_bucket }}" + object_name: "/bootstrap.ign" + src: "{{ config_install_dir + '/' + bootstrap_src_ign }}" + force: false + register: _upload + +- name: OCI | Create expiration timestamp + ansible.builtin.command: "date +'%Y-%m-%dT%H:%M:%S%z' -d '+1 hour'" + register: _cmd + changed_when: false + +- name: OCI | Create preauthenticated_request + oracle.oci.oci_object_storage_preauthenticated_request: + name: par-bootstrap + access_type: ObjectRead + time_expires: "{{ _cmd.stdout }}" + namespace_name: "{{ _objns.namespace }}" + bucket_name: "{{ bootstrap_bucket }}" + object_name: "/bootstrap.ign" + register: _objpreauth + #when: _upload.changed + +- name: OCI | Show existing URLs + oracle.oci.oci_object_storage_preauthenticated_request_facts: + namespace_name: "{{ _objns.namespace }}" + bucket_name: "{{ bootstrap_bucket }}" + register: _pars + +- name: OCI | Create Signed URL to bootstrap_bucket_signed_url + ansible.builtin.set_fact: + bootstrap_bucket_signed_url: "https://objectstorage.{{ config_cluster_region }}.oraclecloud.com{{ _objpreauth.preauthenticated_request.access_uri }}" diff --git a/roles/clients/defaults/main.yaml b/roles/clients/defaults/main.yaml index 7a09276..2537a7f 100644 --- a/roles/clients/defaults/main.yaml +++ b/roles/clients/defaults/main.yaml @@ -5,17 +5,15 @@ distro_image: ocp: "quay.io/openshift-release-dev/ocp-release" release_arch: x86_64 -default_version: 4.13.0 +default_version: 4.14.0-rc.0 # OCP release version has the arch on the sufix # https://openshift-release.apps.ci.l2s4.p1.openshiftapps.com/ # OKD does not have the arch on suffix # https://amd64.origin.releases.ci.openshift.org/ -# Example: release_version: 4.11.0-0.okd-2022-08-20-022919 +# Example: release_version: 4.14.0-0.okd-scos-2023-08-17-022029 release_version: "{{ version | d(default_version) }}-{{ release_arch }}" -# https://amd64.origin.releases.ci.openshift.org/ release_image: "quay.io/openshift-release-dev/ocp-release" - release_image_version_arch: "{{ release_image }}:{{ release_version }}" workdir: "{{ lookup('env', 'HOME') }}/.ansible/okd-installer" diff --git a/roles/clients/tasks/main.yaml b/roles/clients/tasks/main.yaml index 136345f..5498dde 100644 --- a/roles/clients/tasks/main.yaml +++ b/roles/clients/tasks/main.yaml @@ -193,4 +193,4 @@ msg: - "binary=[{{ collection_bin_dir }}/{{ item.src }}]" - "link=[{{ collection_bin_dir }}/{{ item.link }}]" - with_items: "{{ _clients_map }}" \ No newline at end of file + with_items: "{{ _clients_map }}" diff --git a/roles/cloud_compute b/roles/cloud_compute index 5a0ea8a..496d88e 160000 --- a/roles/cloud_compute +++ b/roles/cloud_compute @@ -1 +1 @@ -Subproject commit 5a0ea8a31f4ac8fe82e628fd6af8ef492ccee451 +Subproject commit 496d88ea8663a911c5855bf6b8665127b6357a50 diff --git a/roles/cloud_dns b/roles/cloud_dns index c73d41e..7963424 160000 --- a/roles/cloud_dns +++ b/roles/cloud_dns @@ -1 +1 @@ -Subproject commit c73d41ec4c4cdbccf9aa7626420ada0ed5eb2215 +Subproject commit 7963424148b12d994106d3eb957cddee49649a71 diff --git a/roles/cloud_load_balancer b/roles/cloud_load_balancer index 7c521f0..ca88ff5 160000 --- a/roles/cloud_load_balancer +++ b/roles/cloud_load_balancer @@ -1 +1 @@ -Subproject commit 7c521f0960eaa3a62d77237cb00fa1e58a2a8f21 +Subproject commit ca88ff59cb690caea8e31d384d4748d0004fded1 diff --git a/roles/cloud_network b/roles/cloud_network index 8e745fc..8906b16 160000 --- a/roles/cloud_network +++ b/roles/cloud_network @@ -1 +1 @@ -Subproject commit 8e745fcdf35aa9fcb3bd64ad1e7317f805a4326f +Subproject commit 8906b16da07f67a630758085d914b892208f29bb diff --git a/roles/config/defaults/main.yaml b/roles/config/defaults/main.yaml index 92b3c56..4212cb8 100644 --- a/roles/config/defaults/main.yaml +++ b/roles/config/defaults/main.yaml @@ -8,6 +8,7 @@ config_default_hyperthreading: Enabled config_valid_providers: - aws + - oci # Compute config_compute_replicas: 3 @@ -40,7 +41,7 @@ config_networking_clusternetwork: config_networking_machinenetwork: - cidr: 10.0.0.0/16 -config_networking_networktype: OpenShiftSDN +config_networking_networktype: OVNKubernetes config_networking_servicenetwork: - 172.30.0.0/16 diff --git a/roles/config/tasks/check-vars-aws.yaml b/roles/config/tasks/check-vars-aws.yaml new file mode 100644 index 0000000..fccc671 --- /dev/null +++ b/roles/config/tasks/check-vars-aws.yaml @@ -0,0 +1,3 @@ +--- + +# TODO \ No newline at end of file diff --git a/roles/config/tasks/check-vars-oci.yaml b/roles/config/tasks/check-vars-oci.yaml new file mode 100644 index 0000000..e03fb70 --- /dev/null +++ b/roles/config/tasks/check-vars-oci.yaml @@ -0,0 +1,19 @@ +--- + +- name: Check Vars | oci_compartment_id + ansible.builtin.assert: + that: + - oci_compartment_id is defined + fail_msg: "'oci_compartment_id' is not defined" + +- name: Check Vars | oci_compartment_id_dns + ansible.builtin.assert: + that: + - oci_compartment_id_dns is defined + fail_msg: "'oci_compartment_id_dns' is not defined" + +- name: Check Vars | oci_compartment_id_image + ansible.builtin.assert: + that: + - oci_compartment_id_image is defined + fail_msg: "'oci_compartment_id_image' is not defined" \ No newline at end of file diff --git a/roles/config/tasks/check-vars.yaml b/roles/config/tasks/check-vars.yaml index 8cad6b8..738fde6 100644 --- a/roles/config/tasks/check-vars.yaml +++ b/roles/config/tasks/check-vars.yaml @@ -47,3 +47,6 @@ that: - _stat_installer.stat.exists fail_msg: "Installer binary is not present on path '{{ bin_openshift_install }}'. Run install_clients playbook first" + +- name: Check Vars | Provider + include: "./check-vars-{{ provider }}.yaml" \ No newline at end of file diff --git a/roles/config/tasks/create.yaml b/roles/config/tasks/create.yaml index 90be653..19a04e4 100644 --- a/roles/config/tasks/create.yaml +++ b/roles/config/tasks/create.yaml @@ -3,4 +3,4 @@ # - create-config # - create-manifests # - patch-manifests -# - create-ignitions \ No newline at end of file +# - create-ignitions diff --git a/roles/config/tasks/load.yaml b/roles/config/tasks/load.yaml index bacb779..5c10584 100644 --- a/roles/config/tasks/load.yaml +++ b/roles/config/tasks/load.yaml @@ -50,7 +50,7 @@ - name: Load | Set custom_image_id from os_mirror config when: - - os_mirror | d({}) | length > 0 + - os_mirror | d(false) - os_mirror_from | d('') == 'stream_artifacts' block: - name: Load | Set custom_image_url from os_mirror config diff --git a/roles/config/tasks/patches-manifests/deploy-oci-ccm.yaml b/roles/config/tasks/patches-manifests/deploy-oci-ccm.yaml new file mode 100644 index 0000000..87a49a0 --- /dev/null +++ b/roles/config/tasks/patches-manifests/deploy-oci-ccm.yaml @@ -0,0 +1,76 @@ +--- +- name: Patch | OCI | CCM | Set namespace oci_ccm_namespace + ansible.builtin.set_fact: + # default provided by repo is kube-system + #oci_ccm_namespace: oci-cloud-controller-manager + oci_ccm_namespace: "{{ cfg_patch_oci_ccm_namespace }}" + when: oci_ccm_namespace is not defined + +- name: Patch | OCI | CCM | Create Namespace + when: oci_ccm_namespace != "kube-system" + ansible.builtin.template: + src: patches/oci/oci-ccm-00-namespace.yaml.j2 + dest: "{{ config_install_dir }}/manifests/oci-cloud-controller-manager-00-namespace.yaml" + mode: 0644 + +- name: Patch | OCI | CCM | Gather subnet ID + ansible.builtin.set_fact: + _lb_subnet1: "{{ sb.state.id }}" + loop: "{{ (cluster_state.networks | first).subnets }}" + loop_control: + loop_var: sb + when: sb.public + no_log: true + +- name: Patch | OCI | CCM | Load OCI Secret data + ansible.builtin.set_fact: + oci_ccm_secret_data: "{{ lookup('template', 'patches/oci/oci-ccm-01-secret-data.yaml.j2') | from_yaml }}" + +- name: Patch | OCI | CCM | Create Secret + ansible.builtin.template: + src: patches/oci/oci-ccm-01-secret.yaml.j2 + dest: "{{ config_install_dir }}/manifests/oci-cloud-controller-manager-01-secret.yaml" + mode: 0644 + vars: + oci_compartment_id: oci_compartment_id + +- name: Patch | OCI | CCM | Custom manifests + when: oci_ccm_namespace == "kube-system" + block: + - name: Get CCM manifests + ansible.builtin.get_url: + url: "{{ item.url }}" + dest: "{{ config_install_dir }}/manifests/oci-cloud-controller-manager-{{ item.suffix }}.yaml" + mode: '0440' + loop: + - url: "https://github.com/oracle/oci-cloud-controller-manager/releases/download/{{ oci_ccm_version }}/oci-cloud-controller-manager-rbac.yaml" + suffix: "02-rbac" + - url: "https://github.com/oracle/oci-cloud-controller-manager/releases/download/{{ oci_ccm_version }}/oci-cloud-controller-manager.yaml" + suffix: "03" + +- name: Patch | OCI | CCM | Custom manifests + when: oci_ccm_namespace != "kube-system" + block: + - name: Patch | OCI | CCM | Create RBAC SA + ansible.builtin.template: + src: patches/oci/oci-ccm-02-rbac-sa.yaml.j2 + dest: "{{ config_install_dir }}/manifests/oci-cloud-controller-manager-02-rbac-sa.yaml" + mode: 0644 + + - name: Patch | OCI | CCM | Create RBAC CR + ansible.builtin.template: + src: patches/oci/oci-ccm-03-rbac-cr.yaml.j2 + dest: "{{ config_install_dir }}/manifests/oci-cloud-controller-manager-03-rbac-cr.yaml" + mode: 0644 + + - name: Patch | OCI | CCM | Create RBAC CRB + ansible.builtin.template: + src: patches/oci/oci-ccm-04-rbac-crb.yaml.j2 + dest: "{{ config_install_dir }}/manifests/oci-cloud-controller-manager-04-rbac-crb.yaml" + mode: 0644 + + - name: Patch | OCI | CCM | Create DaemonSet + ansible.builtin.template: + src: patches/oci/oci-ccm-05-daemonset.yaml.j2 + dest: "{{ config_install_dir }}/manifests/oci-cloud-controller-manager-05-daemonset.yaml" + mode: 0644 diff --git a/roles/config/tasks/patches-manifests/deploy-oci-csi.yaml b/roles/config/tasks/patches-manifests/deploy-oci-csi.yaml new file mode 100644 index 0000000..6ae1a8e --- /dev/null +++ b/roles/config/tasks/patches-manifests/deploy-oci-csi.yaml @@ -0,0 +1,42 @@ +--- +- name: Patch | OCI | CCM | Set namespace oci_ccm_namespace + ansible.builtin.set_fact: + # default provided by repo is kube-system + oci_csi_namespace: oci-csi + when: oci_csi_namespace is not defined + +- name: Patch | OCI | CSI | Load OCI Secret data + ansible.builtin.set_fact: + oci_ccm_secret_data: "{{ lookup('template', 'patches/oci/oci-ccm-01-secret-data.yaml.j2') | from_yaml }}" + +- name: Patch | OCI | CSI | Create Manifests to install dir manifests/ + ansible.builtin.template: + src: "patches/oci/{{ manifest }}.j2" + dest: "{{ config_install_dir }}/manifests/{{ manifest }}" + mode: 0644 + loop_control: + loop_var: manifest + loop: + - oci-csi-00-namespace.yaml + - oci-csi-01-secret.yaml + - oci-csi-02-node-rbac-00-sa.yaml + - oci-csi-02-node-rbac-01-cr.yaml + - oci-csi-02-node-rbac-02-crb.yaml + - oci-csi-03-controller-driver.yaml + - oci-csi-04-node-driver-00-csidriver-fss.yaml + - oci-csi-04-node-driver-01-csidriver-bv.yaml + - oci-csi-04-node-driver-02-cm-iscsi.yaml + - oci-csi-04-node-driver-03-cm-fss.yaml + - oci-csi-04-node-driver-04-daemonset.yaml + - oci-csi-05-storage-class-00-bv.yaml + - oci-csi-05-storage-class-01-bv-enc.yaml + +- name: Patch | OCI | CSI | Create MachineConfig iscsid.service + ansible.builtin.template: + src: patches/mc-iscsid-service.yaml.j2 + dest: "{{ config_install_dir }}/openshift//99_openshift-machineconfig_99-{{ machine_role }}-iscsid.yaml" + loop_control: + loop_var: machine_role + loop: + - master + - worker \ No newline at end of file diff --git a/roles/config/tasks/patches-manifests/line_regex_patch.yaml b/roles/config/tasks/patches-manifests/line_regex_patch.yaml new file mode 100644 index 0000000..b8b63da --- /dev/null +++ b/roles/config/tasks/patches-manifests/line_regex_patch.yaml @@ -0,0 +1,10 @@ +--- +- name: Config | Patch manifests | Line regex + ansible.builtin.lineinfile: + path: "{{ config_install_dir }}{{ patch_spec.manifest }}" + backrefs: true + regexp: "{{ patch_spec.regexp }}" + line: "{{ patch_spec.line }}" + loop: "{{ cfg_patch_line_regex_patch_specs }}" + loop_control: + loop_var: patch_spec diff --git a/roles/config/tasks/patches-manifests/mc-kubelet-env-workaround.yaml b/roles/config/tasks/patches-manifests/mc-kubelet-env-workaround.yaml new file mode 100644 index 0000000..f46612e --- /dev/null +++ b/roles/config/tasks/patches-manifests/mc-kubelet-env-workaround.yaml @@ -0,0 +1,16 @@ +--- +# NOTE: there is not guarantee that it would work. +# The Platform=External should have precedence before testing this approach. + +# Requires to cfg_patch_kubelet_env_workaround_content +## Each line should have the script generating the data to append to the +## kubelet workaround file. +- name: Crete kubelet config + ansible.builtin.template: + src: patches/mc-kubelet-env.yaml.j2 + dest: "{{ config_install_dir }}/openshift/99_openshift-machineconfig_00-{{ machine_role }}-kubelet-env-wa.yaml" + loop_control: + loop_var: machine_role + loop: + - master + - worker diff --git a/roles/config/tasks/patches-manifests/mc-kubelet-providerid.yaml b/roles/config/tasks/patches-manifests/mc-kubelet-providerid.yaml new file mode 100644 index 0000000..db54be0 --- /dev/null +++ b/roles/config/tasks/patches-manifests/mc-kubelet-providerid.yaml @@ -0,0 +1,39 @@ +--- +# NOTE: there is not guarantee that it would work. +# The Platform=External should have precedence before testing this approach. + +- name: Patch | mc-kubelet-providerid | Check requirements + ansible.builtin.assert: + that: + - cfg_patch_kubelet_providerid_script is defined + fail_msg: "'cfg_patch_kubelet_providerid_script' is required to use patch 'mc-kubelet-providerid'" + +- name: Patch | mc-kubelet-providerid | Set tmp dir + ansible.builtin.set_fact: + cluster_tmp_dir: "{{ config_install_dir }}/.tmp" + +- name: Patch | mc-kubelet-providerid | ensure tmp dir + ansible.builtin.file: + dest: "{{ cluster_tmp_dir }}" + state: directory + +- name: Patch | mc-kubelet-providerid | Create kubelet providerID + ansible.builtin.template: + src: patches/mc-kubelet-providerid.bu.j2 + dest: "{{ cluster_tmp_dir }}/99_openshift-machineconfig_00-{{ machine_role }}-kubelet-providerid.bu" + loop_control: + loop_var: machine_role + loop: + - master + - worker + +- name: Patch | mc-kubelet-providerid | Render butane config + ansible.builtin.shell: | + {{ bin_butane }} \ + {{ cluster_tmp_dir }}/99_openshift-machineconfig_00-{{ machine_role }}-kubelet-providerid.bu \ + -o {{ config_install_dir }}/openshift/99_openshift-machineconfig_00-{{ machine_role }}-kubelet-providerid.yaml + loop_control: + loop_var: machine_role + loop: + - master + - worker \ No newline at end of file diff --git a/roles/config/tasks/patches-manifests/yaml_patch.yaml b/roles/config/tasks/patches-manifests/yaml_patch.yaml new file mode 100644 index 0000000..a9e99d2 --- /dev/null +++ b/roles/config/tasks/patches-manifests/yaml_patch.yaml @@ -0,0 +1,6 @@ +--- + +- ansible.builtin.include_tasks: ./yaml_patch_run.yaml + loop: "{{ cfg_patch_yaml_patch_specs }}" + loop_control: + loop_var: patch_spec diff --git a/roles/config/tasks/patches-manifests/yaml_patch_run.yaml b/roles/config/tasks/patches-manifests/yaml_patch_run.yaml new file mode 100644 index 0000000..7db7321 --- /dev/null +++ b/roles/config/tasks/patches-manifests/yaml_patch_run.yaml @@ -0,0 +1,18 @@ +--- +# generic update executor + +- name: patch | reading file {{ config_install_dir + patch_spec.manifest }} + set_fact: + patch_file: "{{ lookup('file', config_install_dir + patch_spec.manifest) | from_yaml }}" + +- debug: var=patch_file +- debug: var=patch_spec.patch + +- name: patch | patching content + set_fact: + new_content: "{{ patch_file | combine(patch_spec.patch|from_json, recursive=True) }}" + +- name: patch | saving file {{ config_install_dir + patch_spec.manifest }} + copy: + dest: "{{ config_install_dir + patch_spec.manifest }}" + content: "{{ new_content | to_nice_yaml(indent=2) }}" diff --git a/roles/config/tasks/save-state.yaml b/roles/config/tasks/save-state.yaml index 93987b7..7124c8b 100644 --- a/roles/config/tasks/save-state.yaml +++ b/roles/config/tasks/save-state.yaml @@ -5,4 +5,4 @@ dest: "{{ config_install_dir + '/cluster_state.json' }}" content: "{{ cluster_state }}" mode: 0644 - changed_when: false + #changed_when: false diff --git a/roles/config/templates/install-config.yaml.j2 b/roles/config/templates/install-config.yaml.j2 index e8aa153..1c19535 100644 --- a/roles/config/templates/install-config.yaml.j2 +++ b/roles/config/templates/install-config.yaml.j2 @@ -4,6 +4,10 @@ apiVersion: v1 baseDomain: {{ config_base_domain }} {% endif %} +{% if config_featureset is defined %} +featureSet: {{ config_featureset }} +{% endif %} + # Compute Pool {% if cluster_profile == 'ha' %} compute: {{ config_compute | from_yaml }} diff --git a/roles/config/templates/patches/mc-iscsid-service.yaml.j2 b/roles/config/templates/patches/mc-iscsid-service.yaml.j2 new file mode 100644 index 0000000..f454bf6 --- /dev/null +++ b/roles/config/templates/patches/mc-iscsid-service.yaml.j2 @@ -0,0 +1,14 @@ +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +metadata: + labels: + machineconfiguration.openshift.io/role: {{ machine_role }} + name: 99-{{ machine_role }}-iscsid +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - enabled: true + name: iscsid.service \ No newline at end of file diff --git a/roles/config/templates/patches/mc-kubelet-env.yaml.j2 b/roles/config/templates/patches/mc-kubelet-env.yaml.j2 new file mode 100644 index 0000000..b85de19 --- /dev/null +++ b/roles/config/templates/patches/mc-kubelet-env.yaml.j2 @@ -0,0 +1,38 @@ +# https://github.com/openshift/machine-config-operator/blob/master/templates/common/aws/files/usr-local-bin-aws-kubelet-providerid.yaml +apiVersion: machineconfiguration.openshift.io/v1 +kind: MachineConfig +metadata: + labels: + machineconfiguration.openshift.io/role: master + name: 00-{{ machine_role }}-kubelet-env +spec: + config: + ignition: + version: 3.1.0 + systemd: + units: + - name: kubelet-env.service + enabled: false + contents: | + [Unit] + Description=Fetch kubelet environments from Metadata + # Wait for NetworkManager to report it's online + #Wants=network-online.target + #Requires=crio.service kubelet-auto-node-size.service + #After=network-online.target + #After=ostree-finalize-staged.service + After=NetworkManager-wait-online.service + Before=kubelet.service + [Service] + User=root + Group=root + ExecStart=/opt/libexec/kubelet-env-workaround.sh + Type=oneshot + [Install] + WantedBy=network-online.target + storage: + files: + - mode: 0755 + path: "/opt/libexec/kubelet-env-workaround.sh" + contents: + source: data:text/plain;charset=utf-8;base64,{{ lookup('template', './mc-kubelet-env_kubelet-providerID.sh.j2') | b64encode }} diff --git a/roles/config/templates/patches/mc-kubelet-env_kubelet-providerID.sh.j2 b/roles/config/templates/patches/mc-kubelet-env_kubelet-providerID.sh.j2 new file mode 100644 index 0000000..a3ea527 --- /dev/null +++ b/roles/config/templates/patches/mc-kubelet-env_kubelet-providerID.sh.j2 @@ -0,0 +1,9 @@ +#!/bin/bash + +{{ cfg_patch_kubelet_env_workaround_content }} + +echo "#> Setting permissions 0644 for /etc/kubernetes/kubelet-workaround" +sudo chmod 0755 /etc/kubernetes/kubelet-workaround + +echo "#> Checking value of /etc/kubernetes/kubelet-workaround" +cat /etc/kubernetes/kubelet-workaround diff --git a/roles/config/templates/patches/mc-kubelet-providerid.bu.j2 b/roles/config/templates/patches/mc-kubelet-providerid.bu.j2 new file mode 100644 index 0000000..b276f21 --- /dev/null +++ b/roles/config/templates/patches/mc-kubelet-providerid.bu.j2 @@ -0,0 +1,51 @@ +# https://github.com/openshift/machine-config-operator/blob/master/templates/common/aws/files/usr-local-bin-aws-kubelet-providerid.yaml +variant: openshift +version: 4.12.0 +metadata: + name: 00-{{ machine_role }}-kubelet-providerid + labels: + machineconfiguration.openshift.io/role: {{ machine_role }} +storage: + files: + - mode: 0755 + path: "/usr/local/bin/kubelet-providerid" + contents: + inline: | + #!/bin/bash + set -e -o pipefail + NODECONF=/etc/systemd/system/kubelet.service.d/20-providerid.conf + if [ -e "${NODECONF}" ]; then + echo "Not replacing existing ${NODECONF}" + exit 0 + fi + + {{ cfg_patch_kubelet_providerid_script }} + + cat > "${NODECONF}" <> /data/out.txt; sleep 5; done"] + volumeMounts: + - name: persistent-storage + mountPath: /data + volumes: + - name: persistent-storage + persistentVolumeClaim: + claimName: oci-bv-claim diff --git a/roles/config/templates/patches/oci/oci-sample-lb-00-deployment.yaml.j2 b/roles/config/templates/patches/oci/oci-sample-lb-00-deployment.yaml.j2 new file mode 100644 index 0000000..69283de --- /dev/null +++ b/roles/config/templates/patches/oci/oci-sample-lb-00-deployment.yaml.j2 @@ -0,0 +1,21 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx-deployment + namespace: {{ oci_samples_namespace | d('oci-samples') }} +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx + ports: + - containerPort: 80 diff --git a/roles/config/templates/patches/oci/oci-sample-lb-01-service.yaml.j2 b/roles/config/templates/patches/oci/oci-sample-lb-01-service.yaml.j2 new file mode 100644 index 0000000..c717141 --- /dev/null +++ b/roles/config/templates/patches/oci/oci-sample-lb-01-service.yaml.j2 @@ -0,0 +1,16 @@ +--- +kind: Service +apiVersion: v1 +metadata: + name: nginx-service + namespace: {{ oci_samples_namespace | d('oci-samples') }} + labels: + app: nginx +spec: + selector: + app: nginx + type: LoadBalancer + ports: + - name: http + port: 81 + targetPort: 80 diff --git a/roles/config/templates/patches/oci/oci-samples-namespace.j2 b/roles/config/templates/patches/oci/oci-samples-namespace.j2 new file mode 100644 index 0000000..cbceb1d --- /dev/null +++ b/roles/config/templates/patches/oci/oci-samples-namespace.j2 @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: {{ oci_samples_namespace | d('oci-samples') }} + labels: + "pod-security.kubernetes.io/enforce": "privileged" + "pod-security.kubernetes.io/audit": "privileged" + "pod-security.kubernetes.io/warn": "privileged" + "pod-security.kubernetes.io/enforce-version": "v1.24" + "security.openshift.io/scc.podSecurityLabelSync": "false" + "openshift.io/run-level": "0" diff --git a/roles/csr_approver/tasks/approve.yaml b/roles/csr_approver/tasks/approve.yaml index 006b9b9..59f3bb2 100644 --- a/roles/csr_approver/tasks/approve.yaml +++ b/roles/csr_approver/tasks/approve.yaml @@ -11,6 +11,10 @@ kind: CertificateSigningRequest kubeconfig: "{{ config_install_dir }}/auth/kubeconfig" register: all_csr + until: "all_csr | length > 0" + retries: 12 + delay: 5 + no_log: true - name: Approver | Set pending list ansible.builtin.set_fact: diff --git a/roles/destroy/tasks/oci.yaml b/roles/destroy/tasks/oci.yaml new file mode 100644 index 0000000..3376a85 --- /dev/null +++ b/roles/destroy/tasks/oci.yaml @@ -0,0 +1,27 @@ +--- +- name: OCI | Load Balancer + ansible.builtin.include_tasks: "{{ provider }}/loadbalancer.yaml" + tags: loadbalancer + +- name: OCI | Compute + ansible.builtin.include_tasks: "{{ provider }}/compute.yaml" + tags: compute + +- name: OCI | IAM + ansible.builtin.include_tasks: "{{ provider }}/iam.yaml" + tags: iam + +- name: OCI | DNS + ansible.builtin.include_tasks: "{{ provider }}/dns.yaml" + tags: dns + +- name: OCI | Network + ansible.builtin.include_tasks: "{{ provider }}/network.yaml" + tags: network + loop: "{{ cloud_networks }}" + loop_control: + loop_var: vcn + +- name: OCI | Bucket + ansible.builtin.include_tasks: "{{ provider }}/bucket.yaml" + tags: bucket diff --git a/roles/destroy/tasks/oci/bucket.yaml b/roles/destroy/tasks/oci/bucket.yaml new file mode 100644 index 0000000..e566603 --- /dev/null +++ b/roles/destroy/tasks/oci/bucket.yaml @@ -0,0 +1,14 @@ +--- +- name: OCI | Bucket | Get the namespace + oracle.oci.oci_object_storage_namespace_facts: + compartment_id: "{{ oci_compartment_id }}" + register: _objns + +- name: OCI | Bucket | Delete bootstrap + oracle.oci.oci_object_storage_bucket: + state: absent + compartment_id: "{{ oci_compartment_id }}" + name: "{{ cluster_state.infra_id }}-infra" + namespace_name: "{{ _objns.namespace }}" + force: yes + diff --git a/roles/destroy/tasks/oci/compute.yaml b/roles/destroy/tasks/oci/compute.yaml new file mode 100644 index 0000000..8fe08ff --- /dev/null +++ b/roles/destroy/tasks/oci/compute.yaml @@ -0,0 +1,39 @@ +--- +- name: OCI | Compute | Discovery Instance ID + tags: compute + loop_control: + loop_var: instance + loop: "{{ okd_cluster_destroy_instances }}" + register: _instances + oracle.oci.oci_compute_instance_facts: + compartment_id: "{{ okd_cluster_destroy_instances_compartment_id }}" + display_name: "{{ instance.name }}" + +# TODO: commenting to further review to prevent showing undesired fields (user-data). +# - name: OCI | Compute | Show Delete +# tags: compute +# loop_control: +# loop_var: results +# loop: "{{ _instances.results }}" +# when: +# - _instances.results | length > 0 +# - results.instances is defined and results.instances | length > 0 +# - debug | d(false) +# debug: +# msg: "Deleting Instance: {{ results.instances[0].display_name }}({{ results.instances[0].id }})" + +- name: OCI | Compute | Delete instance + tags: compute + loop_control: + loop_var: inst + loop: "{{ _instances.results }}" + when: + - _instances.results | length > 0 + - inst.instances is defined and inst.instances | length > 0 + no_log: true + oracle.oci.oci_compute_instance: + state: absent + compartment_id: "{{ okd_cluster_destroy_instances_compartment_id }}" + id: "{{ inst.instances[0].id }}" + preserve_boot_volume: false + wait: no \ No newline at end of file diff --git a/roles/destroy/tasks/oci/dns.yaml b/roles/destroy/tasks/oci/dns.yaml new file mode 100644 index 0000000..162d979 --- /dev/null +++ b/roles/destroy/tasks/oci/dns.yaml @@ -0,0 +1,12 @@ +--- +- name: OCI | DNS | Remove records + oracle.oci.oci_dns_zone_records: + compartment_id: "{{ okd_cluster_destroy_dns_compartment_id }}" + zone_name_or_id: "{{ okd_cluster_destroy_dns_records.zone_name_or_id }}" + patch_items: "{{ okd_cluster_destroy_dns_records.patch_items_spec }}" + # - operation: REMOVE + # domain: "{{ rr.domain }}" + # loop: "{{ okd_cluster_destroy_dns_records }}" + # loop_control: + # loop_var: rr + # register: _rr diff --git a/roles/destroy/tasks/oci/iam.yaml b/roles/destroy/tasks/oci/iam.yaml new file mode 100644 index 0000000..02eb760 --- /dev/null +++ b/roles/destroy/tasks/oci/iam.yaml @@ -0,0 +1,2 @@ +--- +# placeholder diff --git a/roles/destroy/tasks/oci/loadbalancer.yaml b/roles/destroy/tasks/oci/loadbalancer.yaml new file mode 100644 index 0000000..0c07f9c --- /dev/null +++ b/roles/destroy/tasks/oci/loadbalancer.yaml @@ -0,0 +1,37 @@ +--- +- name: OCI | LB | Discovery IDs + loop: "{{ cloud_loadbalancers }}" + loop_control: + loop_var: lb + register: _lb_out + oracle.oci.oci_network_load_balancer_facts: + compartment_id: "{{ lb.spec.compartment_id }}" + display_name: "{{ lb.name }}" + +# - debug: var=_lb_out + +- name: OCI | LB | Show Delete + loop: "{{ _lb_out.results }}" + loop_control: + loop_var: lb + register: _lb_del_out + debug: + msg: "Deleting Load Balancer ID: {{ lb.network_load_balancers[0].id }}" + when: + - debug | d(false) + - _lb_out.results is defined and _lb_out.results | length > 0 + check_mode: no + +- name: OCI | LB | Delete + loop: "{{ _lb_out.results }}" + loop_control: + loop_var: lb + register: _lb_del_out + oracle.oci.oci_network_load_balancer: + state: absent + id: "{{ lb.network_load_balancers[0].id }}" + when: + - _lb_out.results is defined and _lb_out.results | length > 0 + - lb.network_load_balancers is defined and lb.network_load_balancers | length > 0 + +# - debug: var=_lb_del_out diff --git a/roles/destroy/tasks/oci/network.yaml b/roles/destroy/tasks/oci/network.yaml new file mode 100644 index 0000000..deece0a --- /dev/null +++ b/roles/destroy/tasks/oci/network.yaml @@ -0,0 +1,81 @@ +--- +- name: OCI | Network | Subnet | Delete + oracle.oci.oci_network_subnet: + state: absent + compartment_id: "{{ vcn.compartment_id }}" + display_name: "{{ subnet.spec.display_name }}" + environment: + OCI_USE_NAME_AS_IDENTIFIER: true + loop: "{{ vcn.subnets }}" + loop_control: + loop_var: subnet + register: _del_subnet + until: "_del_subnet is not failed" + retries: 10 + delay: 5 + +- name: OCI | Network | Route Table Public | Delete + oracle.oci.oci_network_route_table: + state: absent + compartment_id: "{{ vcn.compartment_id }}" + display_name: "{{ vcn.route_table_public.spec.display_name }}" + environment: + OCI_USE_NAME_AS_IDENTIFIER: true + +- name: OCI | Network | Route Table Private | Delete + oracle.oci.oci_network_route_table: + state: absent + compartment_id: "{{ vcn.compartment_id }}" + display_name: "{{ vcn.route_table_private.spec.display_name }}" + environment: + OCI_USE_NAME_AS_IDENTIFIER: true + +- name: OCI | Network | NatGW + oracle.oci.oci_network_nat_gateway: + state: absent + compartment_id: "{{ vcn.compartment_id }}" + display_name: "{{ vcn.nat_gateway.spec.display_name }}" + environment: + OCI_USE_NAME_AS_IDENTIFIER: true + +- name: OCI | VCN | IGW | Delete + oracle.oci.oci_network_internet_gateway: + state: absent + compartment_id: "{{ vcn.compartment_id }}" + display_name: "{{ vcn.internet_gateway.spec.display_name }}" + environment: + OCI_USE_NAME_AS_IDENTIFIER: true + +- name: OCI | Network | NSG | Delete + oracle.oci.oci_network_security_group: + state: absent + compartment_id: "{{ vcn.compartment_id }}" + display_name: "{{ nsg.spec.display_name }}" + environment: + OCI_USE_NAME_AS_IDENTIFIER: true + loop: "{{ vcn.network_security_groups }}" + loop_control: + loop_var: nsg + +- name: OCI | Network | SecList | Delete + oracle.oci.oci_network_security_list: + state: absent + compartment_id: "{{ vcn.compartment_id }}" + display_name: "{{ seclist.spec.display_name }}" + environment: + OCI_USE_NAME_AS_IDENTIFIER: true + loop: "{{ vcn.security_lists }}" + loop_control: + loop_var: seclist + +- name: OCI | Network | VCN | Delete + oracle.oci.oci_network_vcn: + state: absent + compartment_id: "{{ vcn.compartment_id }}" + display_name: "{{ vcn.name }}" + environment: + OCI_USE_NAME_AS_IDENTIFIER: true + register: oci_destroy_vcn + until: "oci_destroy_vcn is not failed" + retries: 5 + delay: 5 \ No newline at end of file diff --git a/roles/os_mirror/tasks/oci.yaml b/roles/os_mirror/tasks/oci.yaml new file mode 100644 index 0000000..f87cd57 --- /dev/null +++ b/roles/os_mirror/tasks/oci.yaml @@ -0,0 +1,41 @@ +--- + +- name: OCI | Get the namespace + oracle.oci.oci_object_storage_namespace_facts: + compartment_id: "{{ os_mirror_to_oci.compartment_id }}" + register: _objns + +- name: OCI | Create bucket + oracle.oci.oci_object_storage_bucket: + state: present + compartment_id: "{{ os_mirror_to_oci.compartment_id }}" + name: "{{ os_mirror_to_oci.bucket }}" + namespace_name: "{{ _objns.namespace }}" + +- name: OCI | Show Summary of OS Mirroring + debug: + msg: + - "Bucket/image object: {{ os_mirror_to_oci.bucket }}/{{ cluster_state.compute.image_id }}" + - "Image name: {{ cluster_state.compute.image_id }}" + when: not(_st_image.stat.exists) + +- name: OCI | Upload image to bucket + oracle.oci.oci_object_storage_object: + namespace_name: "{{ _objns.namespace }}" + bucket_name: "{{ os_mirror_to_oci.bucket }}" + object_name: "{{ cluster_state.compute.image_id }}" + src: "{{ collection_bin_dir + '/' + cluster_state.compute.image_id }}" + force: false + register: _upload + +- name: OCI | Creating Custom Image + oracle.oci.oci_compute_image: + compartment_id: "{{ os_mirror_to_oci.compartment_id }}" + image_source_details: + bucket_name: "{{ os_mirror_to_oci.bucket }}" + namespace_name: "{{ _objns.namespace }}" + object_name: "{{ cluster_state.compute.image_id }}" + source_type: objectStorageTuple + source_image_type: "{{ os_mirror_to_oci.image_type }}" + launch_mode: PARAVIRTUALIZED + display_name: "{{ cluster_state.compute.image_id }}"