Add crc-cloud Ansible role

The Ansible tool might handle in better way how to deploy the
CRC cloud.

ansible/roles/deploy-crc-cloud/defaults/main.yaml

@@ -0,0 +1,33 @@
+---
+dnsmasq_conf_path: /etc/dnsmasq.d/crc-dnsmasq.conf
+openshift_pull_secret: ""
+eip: crc.dev
+altnernative_domain: nip.io
+
+# wait for resource
+max_retry: 20
+wait_interval: 5
+
+# wait cluster become healthy
+max_retries: 20
+retry_delay: 5
+
+pass_developer: _PASS_DEVELOPER_
+pass_kubeadmin: _PASS_KUBEADMIN_
+pass_redhat: _PASS_REDHAT_
+
+users:
+  - name: developer
+    password: "{{ pass_developer }}"
+  - name: kubeadmin
+    password: "{{ pass_kubeadmin }}"
+  - name: redhat
+    password: "{{ pass_redhat }}"
+
+# replace default ca
+ca_user: "system:admin"
+ca_group: "system:masters"
+ca_user_subj: "/O=${GROUP}/CN=${USER}"
+ca_name: "custom"
+ca_subj: "/OU=openshift/CN=admin-kubeconfig-signer-custom"
+ca_validity: 3650

ansible/roles/deploy-crc-cloud/tasks/console_route.yaml

@@ -0,0 +1,16 @@
+---
+# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L282
+- name: Get route to console custom
+  ansible.builtin.shell: |
+    oc get route console-custom -n openshift-console
+  register: _route_console_custom
+  until: _route_console_custom.rc != 1
+  retries: 60
+  delay: 10
+  changed_when: false
+
+- name: Get console route
+  ansible.builtin.shell: >
+    oc get route console-custom
+    -n openshift-console
+    -o json | jq -r '.spec.host'

ansible/roles/deploy-crc-cloud/tasks/create_certificate_and_patch_secret.yaml

@@ -0,0 +1,20 @@
+---
+# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L185
+- name: Create alternative cert
+  ansible.builtin.shell: >
+    openssl req
+    -newkey rsa:2048
+    -new -nodes
+    -x509
+    -days 3650
+    -keyout nip.key
+    -out nip.crt
+    -subj "/CN={{ eip }}.{{ alternative_domain }}"
+    -addext "subjectAltName=DNS:apps.{{ eip }}.{{ alternative_domain }},DNS:*.apps.{{ eip }}.{{ alternative_domain }},DNS:api.{{ eip }}.{{ alternative_domain }}"
+
+- name: "Create secret for {{ alternative_domain }}"
+  ansible.builtin.command: >
+    oc create secret tls nip-secret
+    --cert=nip.crt
+    --key=nip.key
+    -n openshift-config

ansible/roles/deploy-crc-cloud/tasks/dnsmasq.yaml

@@ -0,0 +1,51 @@
+---
+# From https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L101
+- name: Create crc-dnsmasq.conf
+  become: true
+  ansible.builtin.copy:
+    content: |
+      listen-address={{ ansible_default_ipv4.address }}
+      expand-hosts
+      log-queries
+      local=/crc.testing/
+      domain=crc.testing
+      address=/apps-crc.testing/{{ ansible_default_ipv4.address }}
+      address=/api.crc.testing/{{ ansible_default_ipv4.address }}
+      address=/api-int.crc.testing/{{ ansible_default_ipv4.address }}
+      address=/$hostName.crc.testing/192.168.126.11
+    dest: "{{ dnsmasq_conf_path }}"
+  register: _dnsmasq_conf
+
+- name: Set this host as first nameserver in /etc/resolv.conf
+  become: true
+  ansible.builtin.lineinfile:
+    path: /etc/resolv.conf
+    regexp: '^# Generated by NetworkManager'
+    line: "nameserver {{ item }}"
+    create: true
+  loop: "{{ [ansible_default_ipv4.address] + ansible_facts['dns']['nameservers'] | flatten }}"
+  register: _etc_resolv
+
+- name: Disable overwriting /etc/resolv.conf by the NetworkManager
+  become: true
+  ansible.builtin.copy:
+    content: |
+      [main]
+      dns=none
+    dest: /etc/NetworkManager/conf.d/00-custom-crc.conf
+  register: _disable_dns_overwrite
+
+- name: Restart NetworkManager when its needed
+  when: _disable_dns_overwrite.changed
+  become: true
+  ansible.builtin.systemd:
+    name: NetworkManager
+    state: restarted
+
+- name: Restart dnsmasq
+  when: _etc_resolv.changed
+  become: true
+  ansible.builtin.systemd:
+    name: dnsmasq
+    state: restarted
+    enabled: true

ansible/roles/deploy-crc-cloud/tasks/get_htpasswd.yaml

@@ -0,0 +1,11 @@
+---
+- name: "Get htpasswd for {{ user.name }}"
+  ansible.builtin.shell: |
+     podman run --rm -ti xmartlabs/htpasswd {{ user.name }} {{ user.password }}
+  register: _user_hash
+
+- name: Create htpasswd.txt
+  ansible.builtin.lineinfile:
+    path: htpasswd.txt
+    line: "{{ _user_hash.stdout }}"
+    create: true

ansible/roles/deploy-crc-cloud/tasks/kubeconfig.yaml

@@ -0,0 +1,15 @@
+---
+- name: Create kube directory
+  ansible.builtin.file:
+    path: .kube
+    state: directory
+    owner: core
+    group: core
+
+- name: Copy kubeconfig to user dir
+  ansible.builtin.copy:
+    src: /opt/kubeconfig
+    dest: .kube/config
+    remote_src: true
+    owner: core
+    group: core

ansible/roles/deploy-crc-cloud/tasks/kubelet.yaml

@@ -0,0 +1,17 @@
+---
+# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L132
+- name: Start and enable kubelet
+  become: true
+  ansible.builtin.systemd:
+    name: kubelet
+    state: started
+    enabled: true
+
+- name: Wait for API to start before continue
+  ansible.builtin.command: >
+    oc get pods --all-namespaces
+  register: _openshift_containers
+  until: "'No resources found' not in _openshift_containers.stdout or 'connect: connection refused' not in _openshift_containers.stderr"
+  retries: 60
+  delay: 10
+  changed_when: false

ansible/roles/deploy-crc-cloud/tasks/login.yaml

@@ -0,0 +1,14 @@
+---
+# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L67
+- name: Try to login after all changes
+  ansible.builtin.command: >
+    oc login
+    --insecure-skip-tls-verify=true
+    -u kubeadmin
+    -p "{{ pass_kubeadmin }}"
+    https://api.crc.testing:6443
+  register: _openshift_login
+  until: _openshift_login.rc != 1
+  retries: 60
+  delay: 10
+  changed_when: false

ansible/roles/deploy-crc-cloud/tasks/main.yaml

@@ -0,0 +1,64 @@
+---
+- name: Check if pull-secret is provided
+  when: not openshift_pull_secret
+  ansible.builtin.fail:
+    msg: "You need to provide openshift_pull_secret variable!"
+
+- name: Create kubeconfig
+  ansible.builtin.include_tasks: kubeconfig.yaml
+
+- name: Setup dnsmasq
+  ansible.builtin.include_tasks: dnsmasq.yaml
+
+- name: Start kubelet
+  ansible.builtin.include_tasks: kubelet.yaml
+
+- name: Replace default pubkey
+  ansible.builtin.include_tasks: pubkey.yaml
+
+- name: Wait for cluster become healthy
+  vars:
+    wait_components: "etcd|openshift-apiserver"
+  ansible.builtin.include_tasks: wait_cluster_become_healthy.yaml
+
+- name: Set credentials
+  ansible.builtin.include_tasks: set_credentials.yaml
+
+- name: Replace default CA
+  ansible.builtin.include_tasks: replace_default_ca.yaml
+
+- name: Login to the OpenShift cluster
+  ansible.builtin.include_tasks: login.yaml
+
+- name: Patch pull secret
+  ansible.builtin.include_tasks: patch_pull_secret.yaml
+
+- name: Wait for cluster become healthy after patching CA and pull secret
+  vars:
+    wait_components: "etcd|openshift-apiserver"
+  ansible.builtin.include_tasks: wait_cluster_become_healthy.yaml
+
+- name: Create certificate and patch secret
+  ansible.builtin.include_tasks: create_certificate_and_patch_secret.yaml
+
+- name: Wait for cluster become healthy after adding domain
+  vars:
+    wait_components: "etcd|openshift-apiserver"
+  ansible.builtin.include_tasks: wait_cluster_become_healthy.yaml
+
+- name: Patch ingress config
+  ansible.builtin.include_tasks: patch_ingress_config.yaml
+
+- name: Patch api server
+  ansible.builtin.include_tasks: patch_api_server.yaml
+
+- name: Patch default route
+  ansible.builtin.include_tasks: patch_default_route.yaml
+
+- name: Wait for cluster become healthy after changing ingress api server and default route
+  vars:
+    wait_components: "authentication|console|etcd|ingress|openshift-apiserver"
+  ansible.builtin.include_tasks: wait_cluster_become_healthy.yaml
+
+- name: Get console route
+  ansible.builtin.include_tasks: console_route.yaml

ansible/roles/deploy-crc-cloud/tasks/patch_api_server.yaml

@@ -0,0 +1,7 @@
+---
+# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L215
+- name: Patch apiserver
+  ansible.builtin.shell: >
+    oc patch apiserver cluster
+    --type=merge
+    -p '{"spec":{"servingCerts": {"namedCertificates":[{"names":["api.{{ eip }}.{{ alternative_domain }}"],"servingCertificate": {"name": "nip-secret"}}]}'

ansible/roles/deploy-crc-cloud/tasks/patch_default_route.yaml

@@ -0,0 +1,9 @@
+---
+# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L222
+- name: Patch default route
+  ansible.builtin.shell: >
+    oc patch
+    -p '{"spec": {"host": "default-route-openshift-image-registry.{{ eip }}.{{ alternative_domain }}"}}'
+    route default-route
+    -n openshift-image-registry
+    --type=merge

ansible/roles/deploy-crc-cloud/tasks/patch_ingress_config

@@ -0,0 +1,3 @@
+---
+# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L185
+

ansible/roles/deploy-crc-cloud/tasks/patch_ingress_config.yaml

@@ -0,0 +1,26 @@
+---
+# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L185
+- name: Generate ingress patch
+  ansible.builtin.copy:
+    content: |
+      spec:
+        appsDomain: apps.{{ eip }}.{{ alternative_domain }}
+        componentRoutes:
+        - hostname: console-openshift-console.apps.{{ eip }}.{{ alternative_domain }}
+          name: console
+          namespace: openshift-console
+          servingCertKeyPairSecret:
+            name: nip-secret
+        - hostname: oauth-openshift.apps.{{ eip }}.{{ alternative_domain }}
+          name: oauth-openshift
+          namespace: openshift-authentication
+          servingCertKeyPairSecret:
+            name: nip-secret
+    dest: ingress-patch.yaml
+
+- name: Apply patch for ingress
+  ansible.builtin.command: >
+    oc patch ingresses.config.openshift.io
+    cluster
+    --type=merge
+    --patch-file=ingress-patch.yaml

ansible/roles/deploy-crc-cloud/tasks/patch_pull_secret.yaml

@@ -0,0 +1,9 @@
+---
+# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L178
+- name: Patch pull secret
+  ansible.builtin.command: >
+    oc patch secret pull-secret
+    -p ''{\"data\":{\".dockerconfigjson\":\"{{ openshift_pull_secret }}\"}}"
+    -n openshift-config
+    --type merge
+  no_log: true

ansible/roles/deploy-crc-cloud/tasks/pubkey.yaml

@@ -0,0 +1,25 @@
+---
+# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L93
+- name: Check if id_rsa.pub exists
+  ansible.builtin.stat:
+    path: id_rsa.pub
+  register: _id_rsa_pub
+
+- name: Add master ssh key when pub key exists
+  when: _id_rsa_pub.stat.exists
+  block:
+    - name: Read pub key
+      ansible.builtin.shell: |
+        tr -d '\n\r' < id_rsa.pub
+      register: _pub_key
+
+    - name: Wait for machineconfig
+      vars:
+        resource: machineconfig
+      ansible.builtin.include_tasks: wait_for_resource.yaml
+
+    - name: Patch machineconfig 99-master-ssh
+      ansible.builtin.shell: >
+        oc patch machineconfig 99-master-ssh
+        -p '{"spec": {"config": {"passwd": {"users": [{"name": "core", "sshAuthorizedKeys": ["{{_pub_key.stdout}}"]}]}}}}'
+        --type merge

ansible/roles/deploy-crc-cloud/tasks/replace_default_ca.yaml

@@ -0,0 +1,52 @@
+---
+# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L41
+- name: Generate key
+  ansible.builtin.command: openssl genrsa -out {{ ca_name }}-ca.key 4096
+
+- name: Generate cert
+  ansible.builtin.command: >
+    openssl req -x509 -new -nodes
+    -key {{ ca_name }}-ca.key
+    -sha256
+    -days {{ ca_validity }}
+    -out {{ ca_name }}-ca.crt
+    -subj "{{ ca_subj }}"
+
+- name: Generate csr
+  ansible.builtin.command: >
+    openssl req -nodes
+    -newkey rsa:2048
+    -keyout {{ ca_user }}.key
+    -subj "{{ ca_user_subj }}"
+    -out {{ ca_user }}.csr
+
+- name: Generate user cert
+  ansible.builtin.shell: >
+    openssl x509
+    -extfile <(printf "extendedKeyUsage = clientAuth")
+    -req -in {{ ca_user }}.csr
+    -CA {{ ca_name }}-ca.crt
+    -CAkey {{ ca_name }}-ca.key
+    -CAcreateserial -out {{ ca_user }}.crt
+    -days {{ ca_validity }}
+    -sha256
+
+- name: Create configmap
+  ansible.builtin.command: >
+    oc create configmap
+    client-ca-custom
+    -n openshift-config
+    --from-file=ca-bundle.crt={{ ca_name }}-ca.crt
+
+- name: Patch apiserver
+  ansible.builtin.command: >
+    oc patch apiserver cluster
+    --type=merge
+    -p '{"spec": {"clientCA": {"name": "client-ca-custom"}}}'
+
+- name: Create configmap
+  ansible.builtin.shell: >
+    oc create configmap admin-kubeconfig-client-ca
+    -n openshift-config
+    --from-file=ca-bundle.crt={{ ca_name }}-ca.crt
+    --dry-run -o yaml | oc replace -f -