Since the ansible-tripleo-ipsec package is now available and
tripleo-heat-templates relies on it, we no longer need to clone
the tripleo-ipsec repo as part of the ansible tasks.
Change-Id: I513f748abeaee6589829e1d45483db9a7e7791ea
Background:
extraconfig/pre_deploy/rhel-registration interface has been maintained
for some time now but it's missing some features and the code overlaps
with ongoing efforts to convert everything to Ansible.
Plan:
Consume ansible-role-redhat-subscription from TripleO, so all the logics
goes into the Ansible role, and not in TripleO anymore.
The single parameter exposed to TripleO is RhsmVars and any Ansible
parameter can be given to make the role working.
The parameter can be overriden per roles, so we can think at specific
cases were some Director roles would have specific RHSM configs.
Once we have feature parity between what is done and what was here
before, we'll deprecate the old interface.
Testing:
Because RHSM can't be tested on CentOS, this code was manually tested on
RHEL against the public subscription portal. Also, we verified that
generated Ansible playbooks were correct and called the role with the
right parameters.
Documentation:
We'll work on documentation during the following weeks and explain
how to switch from the previous interface to the new one, and also
document new uses requested by our users.
Change-Id: I8610e4f1f8478f2dcbe3afc319981df914ce1780
There are still some templates with the wrong
alias name. This patch updates them with the
correct version.
Change-Id: I43549ac98f3736029d4aaad1ead745caf40f9299
These services only work with the new Ansible deploy workflow, which
is currently considered experimental because it's yet to be integrated
with UI.
Change-Id: Ia3f6b62118696792c6581f08f1beb5c75742c66f
Add external_deploy_tasks for OpenShift installation. This makes
OpenShift installation work with the config download mechanism.
Co-Authored-By: Jiri Stransky <jistr@redhat.com>
Depends-On: I9786f1a27cb7c765211dffe0ea06afd75f8e5275
Change-Id: I4c995dcfd97b5c9ccb751862ff77ab785ad0ac5b
It seems the ansible_ssh_private_key_file variable is only defined
when --private-key parameter is passed to the main deployment Ansible
run. This is always true for deploying via tripleoclient and Mistral,
but may not be true when deploying via manual ansible-playbook
execution.
We now check whether the variable is defined before using it. If it's
not defined, user's default ssh key will be used for trying to connect
to the overcloud nodes.
Change-Id: Id04d3bab85713d644899694231dd4009a88385af
This service is tied to the external_deploy_tasks (such as the k8s
service); and it deploys IPSEC in the overcloud.
bp ipsec
Change-Id: Ie3b7af92c0ec97241de6d8badec13b9e93ee9305
We have swap enabled in CI, by default Kubespray refuses to run with
swap, and so does Kubelet. Make this behavior configurable and allow
swap in the Kubespray scenario env file. It should be fine to run with
swap for development/testing [1].
[1] https://github.com/kubernetes-incubator/kubespray/issues/1787#issuecomment-336159788
Depends-On: I7a02134970c1b1754d42c4e85ed0a2188a5ecdb6
Change-Id: I023824a31f1278b01c33ce81d4af81247dd5f672
The private key file is not part of the inventory in our case, but
it's a global Ansible parameter. Make sure that we carry the same
--private-key parameter from parent Ansible run into Kubespray.
Change-Id: If6e341ee52f9d4944ee1855d3339e26b9a485dd0
Doing this was useful for playing with Kubespray, but it's suboptimal
for multiple reasons:
1. It gets generated into artifacts directory which we collect for CI
logs. It has around 220 megabytes, which would be very bad for log
collection space usage. Even if Kubespray made the location
configurable, mistral user's external_deploy_tasks don't have
rights to write it e.g. into /usr/local/bin, so usefulness of doing
this at all is questionable.
2. Kubectl on the undercloud, it would ideally be preinstalled via
RPMs rather than relying on the respective COE installers to
produce one by fetching it from the overcloud.
Change-Id: Ia7faeb13537adfc3326302d26965439f5603c5a8
We don't install git by default (at least in CI), so let's use a
tarball instead of git clone to get Kubespray sources.
Change-Id: I8321206b095effbc482779a10ff77fd18299bbdf
Depends-On: I2da025961c584cb1adc83943561b1d9faa3559b1
We don't do host key checking for any of our current Ansible
executions (validations, ceph-ansible, ...) so let's not do it for
Kubespray either. Having it enabled caused Kubespray to stop and ask
for confirmation, and given that the outer Ansible action wasn't
interactive, it failed.
Also we are now setting the become flag only for overcloud machines,
rather than globally on the whole ansible-playbook run. Kubespray also
accesses localhost for some task, and we won't always run it as a user
who is allowed passwordless privilege escalation (e.g. mistral user
isn't).
Change-Id: Id49b97c2b5d37f6d215132a987a53aa742b4a60f
The ansible "failed_when" filter that uses a registered output
of a previous task piped to the '|failed' filter does not work
as expected. Given the following playbook:
- name: return code
shell: |
echo "fail 2"
exit 2
failed_when: false
log_when: false
register: outputs
- debug:
msg: "rc: {{ outputs.rc }}"
- debug: msg="Broken (does not fail as expected)"
when: outputs is defined
failed_when: outputs|failed
- debug: msg="Working (fails as expected)"
when: outputs is defined
failed_when: outputs.rc != 0
We obtain the following output:
TASK [return code] ****
changed: [localhost]
TASK [debug] **********
ok: [localhost] => {
"msg": "rc: 2"
}
TASK [debug] **********
ok: [localhost] => {
"failed_when_result": false,
"msg": "Broken (does not fail as expected)"
}
TASK [debug] **********
fatal: [localhost]: FAILED! => {
"failed_when_result": true,
"msg": "Working (fails as expected)"
}
This means that the 'outputs|failed' just does not work at all.
Let's move to a more explicit check on the rc code of the registered
variable.
We also need to fix all the "outputs is defined" checks, because
when a task is skipped the registered outputs variable *is* actually
defined as the following dictionary:
{'skip_reason': u'Conditional result was False', 'skipped': True, 'changed': False}
So we use "outputs.rc is defined" in order to make sure that the
previous task did indeed run.
Closes-Bug: #1733402
Change-Id: I6ef53dc3f9aede42f10c7f110d24722355481261
When running overcloud deployment as Mistral user, we won't have
rights to alter the undercloud content (see change
I2980c584d2f4ee5c2de3720eecfc80cc43ee1fa6). If kubespray isn't found
in /usr/share/kubespray (expected RPM content location), we now clone
it elsewhere, to directory accessible by the user which runs the
overcloud deployment.
Change-Id: I9980b41668b3c838fa978e48441929d4351d101e
I originally disabled this because i couldn't successfully deploy the
API this way, but it was probably caused by garbled up node hostnames,
which was fixed in I1c0251be58535d59fe0ec157cb9acaba209e8732.
Change-Id: I0f51e971fad11568c2f9db13c0d1c54122c51f5d
By setting loadbalancer_apiserver_localhost to false we tell the
kubelets to register with 1st master rather than assuming there's an
API proxy running on each host.
Also Kubespray expects a specific format of inventory because it tries
to enforce that hostname matches the invenotry name of the node. This
previously resulted in incorrect hostnames being set.
And we also open the necessary firewall ports to allow the cluster to
communicate.
Change-Id: I1c0251be58535d59fe0ec157cb9acaba209e8732
Previously we've overriden the MountFlags option to 'shared' for
Kubernetes installation. This is no longer needed when Kubespray
deploys kubelet non-containerized.
Change-Id: I20b0f4bd6d99941a0a1876e68420cffd35f3ccfe
Add external_deploy_tasks for Kubespray installation. This makes
Kubespray installation work with the config download mechanism.
If the undercloud doesn't already contain /usr/share/kubespray
directory, it will be git-cloned. This is to bridge a gap before we
figure out where we get Kubespray RPM from.
Co-Authored-By: Flavio Percoco <flaper87@gmail.com>
Change-Id: I2573261bfd3d63aff1310b80fc454becc7504437