Add crc-cloud Ansible role

The Ansible tool might handle in better way how to deploy the CRC cloud.
crc-org · Nov 6, 2024 · a3f3eca · a3f3eca
1 parent 4be45c7
commit a3f3eca
Show file tree

Hide file tree

Showing 19 changed files with 409 additions and 0 deletions.
diff --git a/ansible/roles/crc-cloud/defaults/main.yaml b/ansible/roles/crc-cloud/defaults/main.yaml
@@ -0,0 +1,34 @@
+---
+dnsmasq_conf_path: /etc/dnsmasq.d/crc-dnsmasq.conf
+pull_secret: ""
+eip: crc.dev
+altnernative_domain: nip.io
+
+# wait for resource
+max_retry: 20
+wait_interval: 5
+
+# wait cluster become healthy
+wait_components: "authentication|console|etcd|ingress|openshift-apiserver"
+max_retries: 20
+retry_delay: 5
+
+pass_developer: _PASS_DEVELOPER_
+pass_kubeadmin: _PASS_KUBEADMIN_
+pass_redhat: _PASS_REDHAT_
+
+users:
+  - name: developer
+    password: "{{ pass_developer }}"
+  - name: kubeadmin
+    password: "{{ pass_kubeadmin }}"
+  - name: redhat
+    password: "{{ pass_redhat }}"
+
+# replace default ca
+ca_user: "system:admin"
+ca_group: "system:masters"
+ca_user_subj: "/O=${GROUP}/CN=${USER}"
+ca_name: "custom"
+ca_subj: "/OU=openshift/CN=admin-kubeconfig-signer-custom"
+ca_validity: 3650
diff --git a/ansible/roles/crc-cloud/tasks/console_route.yaml b/ansible/roles/crc-cloud/tasks/console_route.yaml
@@ -0,0 +1,16 @@
+---
+# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L282
+- name: Get route to console custom
+  ansible.builtin.shell: |
+    oc get route console-custom -n openshift-console
+  register: _route_console_custom
+  until: _route_console_custom.rc != 1
+  retries: 60
+  delay: 10
+  changed_when: false
+
+- name: Get console route
+  ansible.builtin.shell: >
+    oc get route console-custom
+    -n openshift-console
+    -o json | jq -r '.spec.host'
diff --git a/ansible/roles/crc-cloud/tasks/create_certificate_and_patch_secret.yaml b/ansible/roles/crc-cloud/tasks/create_certificate_and_patch_secret.yaml
@@ -0,0 +1,20 @@
+---
+# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L185
+- name: Create alternative cert
+  ansible.builtin.shell: >
+    openssl req
+    -newkey rsa:2048
+    -new -nodes
+    -x509
+    -days 3650
+    -keyout nip.key
+    -out nip.crt
+    -subj "/CN={{ eip }}.{{ alternative_domain }}"
+    -addext "subjectAltName=DNS:apps.{{ eip }}.{{ alternative_domain }},DNS:*.apps.{{ eip }}.{{ alternative_domain }},DNS:api.{{ eip }}.{{ alternative_domain }}"
+
+- name: "Create secret for {{ alternative_domain }}"
+  ansible.builtin.command: >
+    oc create secret tls nip-secret
+    --cert=nip.crt
+    --key=nip.key
+    -n openshift-config
diff --git a/ansible/roles/crc-cloud/tasks/dnsmasq.yaml b/ansible/roles/crc-cloud/tasks/dnsmasq.yaml
@@ -0,0 +1,41 @@
+---
+# From https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L101
+- name: Create crc-dnsmasq.conf
+  become: true
+  ansible.builtin.copy:
+    content: |
+      listen-address={{ ansible_default_ipv4.address }}
+      expand-hosts
+      log-queries
+      local=/crc.testing/
+      domain=crc.testing
+      address=/apps-crc.testing/{{ ansible_default_ipv4.address }}
+      address=/api.crc.testing/{{ ansible_default_ipv4.address }}
+      address=/api-int.crc.testing/{{ ansible_default_ipv4.address }}
+      address=/$hostName.crc.testing/192.168.126.11
+    dest: "{{ dnsmasq_conf_path }}"
+    register: _dnsmasq_conf
+
+- name: Set DNS servers for Wired connection 1
+  become: true
+  community.general.nmcli:
+    conn_name: "Wired connection 1"
+    state: present
+    type: ethernet
+    ipv4.dns: "{{ ansible_default_ipv4.address }},169.254.169.254"
+  register: _nm_wired_conn
+
+- name: Restart NetworkManager when its needed
+  when: _nm_wired_conn.changed
+  become: true
+  ansible.builtin.systemd:
+    name: NetworkManager
+    state: restarted
+
+- name: Restart dnsmasq
+  when: _dnsmasq_conf.changed
+  become: true
+  ansible.builtin.systemd:
+    name: dnsmasq
+    state: restarted
+    enabled: true
diff --git a/ansible/roles/crc-cloud/tasks/get_htpasswd.yaml b/ansible/roles/crc-cloud/tasks/get_htpasswd.yaml
@@ -0,0 +1,4 @@
+---
+- name: "Get htpasswd for {{ user.name }}"
+  ansible.builtin.shell: |
+     podman run --rm -ti xmartlabs/htpasswd developer {{ user.password }} > htpasswd.{{ user.name }}
diff --git a/ansible/roles/crc-cloud/tasks/kubeconfig.yaml b/ansible/roles/crc-cloud/tasks/kubeconfig.yaml
@@ -0,0 +1,15 @@
+---
+- name: Create kube directory
+  ansible.builtin.file:
+    path: .kube
+    state: directory
+    owner: core
+    group: core
+
+- name: Copy kubeconfig to user dir
+  ansible.builtin.copy:
+    src: /opt/kubeconfig
+    dest: .kube/config
+    remote_src: true
+    owner: core
+    group: core
diff --git a/ansible/roles/crc-cloud/tasks/kubelet.yaml b/ansible/roles/crc-cloud/tasks/kubelet.yaml
@@ -0,0 +1,8 @@
+---
+# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L132
+- name: Start and enable kubelet
+  become: true
+  ansible.builtin.systemd:
+    name: kubelet
+    state: started
+    enabled: true
diff --git a/ansible/roles/crc-cloud/tasks/login.yaml b/ansible/roles/crc-cloud/tasks/login.yaml
@@ -0,0 +1,14 @@
+---
+# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L67
+- name: Try to login after all changes
+  ansible.builtin.command: >
+    oc login
+    --insecure-skip-tls-verify=true
+    -u kubeadmin
+    -p "{{ pass_kubeadmin }}"
+    https://api.crc.testing:6443
+  register: _openshift_login
+  until: _openshift_login.rc != 1
+  retries: 60
+  delay: 10
+  changed_when: false
diff --git a/ansible/roles/crc-cloud/tasks/main.yaml b/ansible/roles/crc-cloud/tasks/main.yaml
@@ -0,0 +1,56 @@
+---
+- name: Check if pull-secret is provided
+  when: not pull_secret
+  ansible.builtin.fail:
+    msg: "You need to provide pull_secret variable!"
+
+- name: Create kubeconfig
+  ansible.builtin.include_tasks: kubeconfig.yaml
+
+- name: Setup dnsmasq
+  ansible.builtin.include_tasks: dnsmasq.yaml
+
+- name: Start kubelet
+  ansible.builtin.include_tasks: kubelet.yaml
+
+- name: Replace default pubkey
+  ansible.builtin.include_tasks: pubkey.yaml
+
+- name: Wait for cluster become healthy
+  ansible.builtin.include_tasks: wait_cluster_become_healthy.yaml
+
+- name: Set credentials
+  ansible.builtin.include_tasks: set_credentials.yaml
+
+- name: Replace default CA
+  ansible.builtin.include_tasks: replace_default_ca.yaml
+
+- name: Login to the OpenShift cluster
+  ansible.builtin.include_tasks: login.yaml
+
+- name: Patch pull secret
+  ansible.builtin.include_tasks: patch_pull_secret.yaml
+
+- name: Wait for cluster become healthy after patching CA and pull secret
+  ansible.builtin.include_tasks: wait_cluster_become_healthy.yaml
+
+- name: Create certificate and patch secret
+  ansible.builtin.include_tasks: create_certificate_and_patch_secret.yaml
+
+- name: Wait for cluster become healthy after adding domain
+  ansible.builtin.include_tasks: wait_cluster_become_healthy.yaml
+
+- name: Patch ingress config
+  ansible.builtin.include_tasks: patch_ingress_config.yaml
+
+- name: Patch api server
+  ansible.builtin.include_tasks: patch_api_server.yaml
+
+- name: Patch default route
+  ansible.builtin.include_tasks: patch_default_route.yaml
+
+- name: Wait for cluster become healthy after changing ingress api server and default route
+  ansible.builtin.include_tasks: wait_cluster_become_healthy.yaml
+
+- name: Get console route
+  ansible.builtin.include_tasks: console_route.yaml
diff --git a/ansible/roles/crc-cloud/tasks/patch_api_server.yaml b/ansible/roles/crc-cloud/tasks/patch_api_server.yaml
@@ -0,0 +1,7 @@
+---
+# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L215
+- name: Patch apiserver
+  ansible.builtin.shell: >
+    oc patch apiserver cluster
+    --type=merge
+    -p '{"spec":{"servingCerts": {"namedCertificates":[{"names":["api.{{ eip }}.{{ alternative_domain }}"],"servingCertificate": {"name": "nip-secret"}}]}'
diff --git a/ansible/roles/crc-cloud/tasks/patch_default_route.yaml b/ansible/roles/crc-cloud/tasks/patch_default_route.yaml
@@ -0,0 +1,9 @@
+---
+# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L222
+- name: Patch default route
+  ansible.builtin.shell: >
+    oc patch
+    -p '{"spec": {"host": "default-route-openshift-image-registry.{{ eip }}.{{ alternative_domain }}"}}'
+    route default-route
+    -n openshift-image-registry
+    --type=merge
diff --git a/ansible/roles/crc-cloud/tasks/patch_ingress_config b/ansible/roles/crc-cloud/tasks/patch_ingress_config
@@ -0,0 +1,3 @@
+---
+# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L185
+
diff --git a/ansible/roles/crc-cloud/tasks/patch_ingress_config.yaml b/ansible/roles/crc-cloud/tasks/patch_ingress_config.yaml
@@ -0,0 +1,26 @@
+---
+# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L185
+- name: Generate ingress patch
+  ansible.builtin.copy:
+    content: |
+      spec:
+        appsDomain: apps.{{ eip }}.{{ alternative_domain }}
+        componentRoutes:
+        - hostname: console-openshift-console.apps.{{ eip }}.{{ alternative_domain }}
+          name: console
+          namespace: openshift-console
+          servingCertKeyPairSecret:
+            name: nip-secret
+        - hostname: oauth-openshift.apps.{{ eip }}.{{ alternative_domain }}
+          name: oauth-openshift
+          namespace: openshift-authentication
+          servingCertKeyPairSecret:
+            name: nip-secret
+    dest: ingress-patch.yaml
+
+- name: Apply patch for ingress
+  ansible.builtin.command: >
+    oc patch ingresses.config.openshift.io
+    cluster
+    --type=merge
+    --patch-file=ingress-patch.yaml
diff --git a/ansible/roles/crc-cloud/tasks/patch_pull_secret.yaml b/ansible/roles/crc-cloud/tasks/patch_pull_secret.yaml
@@ -0,0 +1,9 @@
+---
+# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L178
+- name: Patch pull secret
+  ansible.builtin.command: >
+    oc patch secret pull-secret
+    -p ''{\"data\":{\".dockerconfigjson\":\"{{ pull_secret }}\"}}"
+    -n openshift-config
+    --type merge
+  no_log: true
diff --git a/ansible/roles/crc-cloud/tasks/pubkey.yaml b/ansible/roles/crc-cloud/tasks/pubkey.yaml
@@ -0,0 +1,17 @@
+---
+# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L93
+- name: Read pub key
+  ansible.builtin.shell: |
+    tr -d '\n\r' < ~core/id_rsa.pub
+  register: _pub_key
+
+- name: Wait for machineconfig
+  vars:
+    resource: machineconfig
+  ansible.builtin.include_tasks: wait_for_resource.yaml
+
+- name: Patch machineconfig 99-master-ssh
+  ansible.builtin.shell: >
+    oc patch machineconfig 99-master-ssh
+    -p '{"spec": {"config": {"passwd": {"users": [{"name": "core", "sshAuthorizedKeys": ["{{_pub_key.stdout}}"]}]}}}}'
+    --type merge
diff --git a/ansible/roles/crc-cloud/tasks/replace_default_ca.yaml b/ansible/roles/crc-cloud/tasks/replace_default_ca.yaml
@@ -0,0 +1,52 @@
+---
+# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L41
+- name: Generate key
+  ansible.builtin.command: openssl genrsa -out {{ ca_name }}-ca.key 4096
+
+- name: Generate cert
+  ansible.builtin.command: >
+    openssl req -x509 -new -nodes
+    -key {{ ca_name }}-ca.key
+    -sha256
+    -days {{ ca_validity }}
+    -out {{ ca_name }}-ca.crt
+    -subj "{{ ca_subj }}"
+
+- name: Generate csr
+  ansible.builtin.command: >
+    openssl req -nodes
+    -newkey rsa:2048
+    -keyout {{ ca_user }}.key
+    -subj "{{ ca_user_subj }}"
+    -out {{ ca_user }}.csr
+
+- name: Generate user cert
+  ansible.builtin.shell: >
+    openssl x509
+    -extfile <(printf "extendedKeyUsage = clientAuth")
+    -req -in {{ ca_user }}.csr
+    -CA {{ ca_name }}-ca.crt
+    -CAkey {{ ca_name }}-ca.key
+    -CAcreateserial -out {{ ca_user }}.crt
+    -days {{ ca_validity }}
+    -sha256
+
+- name: Create configmap
+  ansible.builtin.command: >
+    oc create configmap
+    client-ca-custom
+    -n openshift-config
+    --from-file=ca-bundle.crt={{ ca_name }}-ca.crt
+
+- name: Patch apiserver
+  ansible.builtin.command: >
+    oc patch apiserver cluster
+    --type=merge
+    -p '{"spec": {"clientCA": {"name": "client-ca-custom"}}}'
+
+- name: Create configmap
+  ansible.builtin.shell: >
+    oc create configmap admin-kubeconfig-client-ca
+    -n openshift-config
+    --from-file=ca-bundle.crt={{ ca_name }}-ca.crt
+    --dry-run -o yaml | oc replace -f -
diff --git a/ansible/roles/crc-cloud/tasks/set_credentials.yaml b/ansible/roles/crc-cloud/tasks/set_credentials.yaml
@@ -0,0 +1,29 @@
+---
+#  https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L229
+- name: Get htpasswd
+  ansible.builtin.include_tasks: get_htpasswd.yaml
+  loop: "{{ users }}"
+  loop_control:
+    loop_var: user
+
+- name: Create htpasswd.txt
+  ansible.builtin.shell: |
+    cat htpasswd.{{ user.name }} >> htpasswd.txt
+  loop: "{{ users }}"
+  loop_control:
+    loop_var: user
+
+- name: Cleanup htpasswd.txt file
+  ansible.builtin.shell: |
+    sed -i '/^\s*$/d' htpasswd.txt
+
+- name: Create secret with generic htpass-secret
+  ansible.builtin.shell: >
+    oc create secret generic htpass-secret
+    --from-file=htpasswd=htpasswd.txt
+    -n openshift-config
+    --dry-run=client
+    -o yaml > /tmp/htpass-secret.yaml
+
+- name: Replace htpass-secret
+  ansible.builtin.command: oc replace -f /tmp/htpass-secret.yaml
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		---
		# https://github.com/crc-org/crc-cloud/blob/main/pkg/bundle/setup/clustersetup.sh#L185