23 Commits

Author SHA1 Message Date
Juan Antonio Osorio Robles
fe3be577ab IPSEC: stop relying on cloning the repository from t-h-t
Since the ansible-tripleo-ipsec package is now available and
tripleo-heat-templates relies on it, we no longer need to clone
the tripleo-ipsec repo as part of the ansible tasks.

Change-Id: I513f748abeaee6589829e1d45483db9a7e7791ea
2018-01-05 06:22:18 +00:00
Emilien Macchi
6a6872f390 Introduce OS::TripleO::Services::Rhsm
Background:
extraconfig/pre_deploy/rhel-registration interface has been maintained
for some time now but it's missing some features and the code overlaps
with ongoing efforts to convert everything to Ansible.

Plan:
Consume ansible-role-redhat-subscription from TripleO, so all the logics
goes into the Ansible role, and not in TripleO anymore.
The single parameter exposed to TripleO is RhsmVars and any Ansible
parameter can be given to make the role working.
The parameter can be overriden per roles, so we can think at specific
cases were some Director roles would have specific RHSM configs.
Once we have feature parity between what is done and what was here
before, we'll deprecate the old interface.

Testing:
Because RHSM can't be tested on CentOS, this code was manually tested on
RHEL against the public subscription portal. Also, we verified that
generated Ansible playbooks were correct and called the role with the
right parameters.

Documentation:
We'll work on documentation during the following weeks and explain
how to switch from the previous interface to the new one, and also
document new uses requested by our users.

Change-Id: I8610e4f1f8478f2dcbe3afc319981df914ce1780
2017-12-27 11:03:49 -08:00
Carlos Camacho
b13728cac3 Update templates alias to queens
There are still some templates with the wrong
alias name. This patch updates them with the
correct version.

Change-Id: I43549ac98f3736029d4aaad1ead745caf40f9299
2017-12-20 10:27:23 +01:00
Jiri Stransky
88bbed3d85 Add readme for experimental extraconfig/services
These services only work with the new Ansible deploy workflow, which
is currently considered experimental because it's yet to be integrated
with UI.

Change-Id: Ia3f6b62118696792c6581f08f1beb5c75742c66f
2017-12-15 15:41:23 +00:00
Flavio Percoco
8dd99ba7fd Deploy OpenShift using OOO on the overcloud
Add external_deploy_tasks for OpenShift installation. This makes
OpenShift installation work with the config download mechanism.

Co-Authored-By: Jiri Stransky <jistr@redhat.com>
Depends-On: I9786f1a27cb7c765211dffe0ea06afd75f8e5275
Change-Id: I4c995dcfd97b5c9ccb751862ff77ab785ad0ac5b
2017-12-15 15:41:15 +00:00
Zuul
adeb5df53c Merge "Add IPSEC composable service" 2017-12-06 22:53:33 +00:00
Jiri Stransky
ac6c11f7aa Make Kubespray install work without --private-key too
It seems the ansible_ssh_private_key_file variable is only defined
when --private-key parameter is passed to the main deployment Ansible
run. This is always true for deploying via tripleoclient and Mistral,
but may not be true when deploying via manual ansible-playbook
execution.

We now check whether the variable is defined before using it. If it's
not defined, user's default ssh key will be used for trying to connect
to the overcloud nodes.

Change-Id: Id04d3bab85713d644899694231dd4009a88385af
2017-12-05 18:15:29 +00:00
Juan Antonio Osorio Robles
898ad4f54b Add IPSEC composable service
This service is tied to the external_deploy_tasks (such as the k8s
service); and it deploys IPSEC in the overcloud.

bp ipsec

Change-Id: Ie3b7af92c0ec97241de6d8badec13b9e93ee9305
2017-12-05 13:10:18 +00:00
Jiri Stransky
cb17631829 Don't fail Kubespray scenario if swap is enabled
We have swap enabled in CI, by default Kubespray refuses to run with
swap, and so does Kubelet. Make this behavior configurable and allow
swap in the Kubespray scenario env file. It should be fine to run with
swap for development/testing [1].

[1] https://github.com/kubernetes-incubator/kubespray/issues/1787#issuecomment-336159788

Depends-On: I7a02134970c1b1754d42c4e85ed0a2188a5ecdb6
Change-Id: I023824a31f1278b01c33ce81d4af81247dd5f672
2017-11-29 13:40:20 +01:00
Jiri Stransky
904cc3dd6d Pass private key file from parent Ansible to Kubespray
The private key file is not part of the inventory in our case, but
it's a global Ansible parameter. Make sure that we carry the same
--private-key parameter from parent Ansible run into Kubespray.

Change-Id: If6e341ee52f9d4944ee1855d3339e26b9a485dd0
2017-11-28 15:41:09 +01:00
Jiri Stransky
849a00b973 Stop creating kubectl binary on undercloud
Doing this was useful for playing with Kubespray, but it's suboptimal
for multiple reasons:

1. It gets generated into artifacts directory which we collect for CI
   logs. It has around 220 megabytes, which would be very bad for log
   collection space usage. Even if Kubespray made the location
   configurable, mistral user's external_deploy_tasks don't have
   rights to write it e.g. into /usr/local/bin, so usefulness of doing
   this at all is questionable.

2. Kubectl on the undercloud, it would ideally be preinstalled via
   RPMs rather than relying on the respective COE installers to
   produce one by fetching it from the overcloud.

Change-Id: Ia7faeb13537adfc3326302d26965439f5603c5a8
2017-11-28 14:40:37 +01:00
Jiri Stransky
2531c07dee Download Kubespray instead of git clone
We don't install git by default (at least in CI), so let's use a
tarball instead of git clone to get Kubespray sources.

Change-Id: I8321206b095effbc482779a10ff77fd18299bbdf
Depends-On: I2da025961c584cb1adc83943561b1d9faa3559b1
2017-11-28 13:21:14 +01:00
Zuul
35c5e7a122 Merge "Host access fixes for Kubespray playbook run" 2017-11-21 21:16:33 +00:00
Jiri Stransky
03e8766905 Host access fixes for Kubespray playbook run
We don't do host key checking for any of our current Ansible
executions (validations, ceph-ansible, ...) so let's not do it for
Kubespray either. Having it enabled caused Kubespray to stop and ask
for confirmation, and given that the outer Ansible action wasn't
interactive, it failed.

Also we are now setting the become flag only for overcloud machines,
rather than globally on the whole ansible-playbook run. Kubespray also
accesses localhost for some task, and we won't always run it as a user
who is allowed passwordless privilege escalation (e.g. mistral user
isn't).

Change-Id: Id49b97c2b5d37f6d215132a987a53aa742b4a60f
2017-11-21 11:21:23 +01:00
Michele Baldessari
ed2b957a4f Fix all outputs|failed and outputs is defined
The ansible "failed_when" filter that uses a registered output
of a previous task piped to the '|failed' filter does not work
as expected. Given the following playbook:

  - name: return code
    shell: |
      echo "fail 2"
      exit 2
    failed_when: false
    log_when: false
    register: outputs
  - debug:
      msg: "rc: {{ outputs.rc }}"
  - debug: msg="Broken (does not fail as expected)"
    when: outputs is defined
    failed_when: outputs|failed
  - debug: msg="Working (fails as expected)"
    when: outputs is defined
    failed_when: outputs.rc != 0

We obtain the following output:

TASK [return code] ****
changed: [localhost]

TASK [debug] **********
ok: [localhost] => {
    "msg": "rc: 2"
}

TASK [debug] **********
ok: [localhost] => {
    "failed_when_result": false,
    "msg": "Broken (does not fail as expected)"
}

TASK [debug] **********
fatal: [localhost]: FAILED! => {
    "failed_when_result": true,
    "msg": "Working (fails as expected)"
}

This means that the 'outputs|failed' just does not work at all.
Let's move to a more explicit check on the rc code of the registered
variable.

We also need to fix all the "outputs is defined" checks, because
when a task is skipped the registered outputs variable *is* actually
defined as the following dictionary:
{'skip_reason': u'Conditional result was False', 'skipped': True, 'changed': False}

So we use "outputs.rc is defined" in order to make sure that the
previous task did indeed run.

Closes-Bug: #1733402

Change-Id: I6ef53dc3f9aede42f10c7f110d24722355481261
2017-11-21 08:06:41 +01:00
Zuul
38d0525a5e Merge "Clone kubespray to location accessible by the user" 2017-11-20 14:43:04 +00:00
Steven Hardy
dc621da47f Add yml extension to kubespray inventory
Since the update to ansible 2.4 this seems required to select the appropriate
inventory plugin

Change-Id: I9499dac7b13284bccd05043eb59bbba67c24fa20
2017-11-14 15:42:27 +00:00
Jiri Stransky
2af0769199 Clone kubespray to location accessible by the user
When running overcloud deployment as Mistral user, we won't have
rights to alter the undercloud content (see change
I2980c584d2f4ee5c2de3720eecfc80cc43ee1fa6). If kubespray isn't found
in /usr/share/kubespray (expected RPM content location), we now clone
it elsewhere, to directory accessible by the user which runs the
overcloud deployment.

Change-Id: I9980b41668b3c838fa978e48441929d4351d101e
2017-11-08 14:20:59 +01:00
Jiri Stransky
38ab147d0b Enable in-cluster loadbalancing of kubernetes API
I originally disabled this because i couldn't successfully deploy the
API this way, but it was probably caused by garbled up node hostnames,
which was fixed in I1c0251be58535d59fe0ec157cb9acaba209e8732.

Change-Id: I0f51e971fad11568c2f9db13c0d1c54122c51f5d
2017-11-07 16:37:56 +01:00
Jiri Stransky
a314d1b546 Allow installing multiple-node Kubernetes
By setting loadbalancer_apiserver_localhost to false we tell the
kubelets to register with 1st master rather than assuming there's an
API proxy running on each host.

Also Kubespray expects a specific format of inventory because it tries
to enforce that hostname matches the invenotry name of the node. This
previously resulted in incorrect hostnames being set.

And we also open the necessary firewall ports to allow the cluster to
communicate.

Change-Id: I1c0251be58535d59fe0ec157cb9acaba209e8732
2017-11-02 11:31:42 +01:00
Jiri Stransky
48b1cfd61e Don't alter default docker configuration during kubernetes install
Previously we've overriden the MountFlags option to 'shared' for
Kubernetes installation. This is no longer needed when Kubespray
deploys kubelet non-containerized.

Change-Id: I20b0f4bd6d99941a0a1876e68420cffd35f3ccfe
2017-10-19 18:17:05 +02:00
Jiri Stransky
215515e788 Generate Kubespray artifacts on undercloud
Write kubectl binary and admin.conf file on undercloud.

Change-Id: I5dd6ad0f69a12c984b1c5b7c2735bc301f8cb763
2017-10-19 18:17:05 +02:00
Jiri Stransky
d77327d6e2 Kubespray installation via config download mechanism
Add external_deploy_tasks for Kubespray installation. This makes
Kubespray installation work with the config download mechanism.

If the undercloud doesn't already contain /usr/share/kubespray
directory, it will be git-cloned. This is to bridge a gap before we
figure out where we get Kubespray RPM from.

Co-Authored-By: Flavio Percoco <flaper87@gmail.com>
Change-Id: I2573261bfd3d63aff1310b80fc454becc7504437
2017-10-19 18:08:01 +02:00