Merge pull request #1 from danpawlik/master

Initial role commit

README.md

@@ -0,0 +1,76 @@
+Deploy Microshift service
+=========================
+
+This role deploys Microshift service on RHEL 8/9.
+
+Example deployment
+------------------
+
+* Install Ansible:
+
+```sh
+sudo dnf install -y ansible-core git
+ansible-galaxy collection install community.general
+ansible-galaxy collection install community.crypto
+ansible-galaxy collection install ansible.posix
+```
+
+* Clone Microshift Ansible role project
+
+```sh
+git clone https://github.com/openstack-k8s-operators/ansible-microshift-role
+```
+
+* Create ansible config:
+
+```sh
+cat << EOF > ansible.cfg
+[defaults]
+roles_path = ./
+force_handlers = True
+
+[ssh_connection]
+pipelining = True
+EOF
+```
+
+* Generate `pull-secret.txt` credentials
+
+To deploy Microshift > 4.8, it requires to provide pull-secret.txt content.
+It can be generated [here](https://cloud.redhat.com/openshift/create/local).
+
+* Create inventory:
+
+```sh
+cat << EOF > inventory.yaml
+all:
+  vars:
+    openshift_pull_secret: |
+      < HERE IS pull.secret.txt content >
+  hosts:
+    microshift.dev:
+      ansible_port: 22
+      ansible_host: 127.0.0.1
+      ansible_user: centos
+EOF
+```
+
+* Create playbook:
+
+```sh
+cat << EOF > deploy-microshift.yaml
+---
+- hosts: microshift.dev
+  vars:
+    fqdn: microshift.dev
+    use_copr_microshift: false
+  roles:
+    - ansible-microshift-role
+EOF
+```
+
+* Deploy Microshift:
+
+```sh
+ansible-playbook -i inventory.yaml deploy-microshift.yaml
+```

defaults/main.yaml

@@ -0,0 +1,36 @@
+---
+fqdn: microshift.dev
+# NOTE: To deploy Microshift > 4.8, you should provide pull-secret.txt content.
+# It can be generated here: https://cloud.redhat.com/openshift/create/local
+openshift_pull_secret: ""
+registry_secret_path: /etc/crio/openshift-pull-secret
+disable_selinux: false
+hide_sensitive_logs: true
+setup_tools: true
+disable_swap: true
+firewalld_rules_permament: true
+
+use_copr_microshift: false
+microshift_version: 4.12
+
+setup_olm: false
+repo_dir: "~{{ ansible_user }}/repos"
+operator_sdk_version: "v1.21.0"
+operator_sdk_url: "https://github.com/operator-framework/operator-sdk"
+
+create_pv: true
+pv_storageclass: local-storage
+pv_host_path: "/mnt/data"
+pv_count:
+  start: 1
+  end: 15
+
+# This defines a Subject (by creating a client cert), a Namespace and a RoleBinding using role.
+certs_dir: "~{{ ansible_user }}/.certs"
+standard_user:
+  name: dev-admin
+  namespace: dev-admin
+  role: admin
+
+delete_openshift_storage: true
+overwrite_container_policy: false

files/policy.json

@@ -0,0 +1,14 @@
+{
+    "default": [
+        {
+            "type": "insecureAcceptAnything"
+        }
+    ],
+    "transports":
+        {
+            "docker-daemon":
+                {
+                    "": [{"type":"insecureAcceptAnything"}]
+                }
+        }
+}

handlers/main.yaml

@@ -0,0 +1,14 @@
+---
+- name: Restart crio
+  become: true
+  ansible.builtin.systemd:
+    name: crio
+    state: restarted
+    enabled: true
+
+- name: Restart Microshift
+  become: true
+  ansible.builtin.systemd:
+    name: microshift
+    state: started
+    enabled: true

tasks/cleanup.yaml

@@ -0,0 +1,6 @@
+---
+- name: Remove sensitive content
+  become: true
+  ansible.builtin.file:
+    path: "{{ registry_secret_path }}"
+    state: absent

tasks/crio.yaml

@@ -0,0 +1,36 @@
+---
+- name: Install required system packages
+  become: true
+  ansible.builtin.yum:
+    name:
+      - cri-o
+      - cri-tools
+    state: present
+    enablerepo: microshift-deps-rpms
+  notify: Restart crio
+
+- name: Get cri-o version
+  ansible.builtin.shell: |
+    rpm -qa --qf '%{VERSION}' cri-o
+  tags:
+    - skip_ansible_lint
+  register: _crio_version
+
+- name: Use only ipv4
+  become: true
+  ansible.builtin.get_url:
+    url: https://raw.githubusercontent.com/cri-o/cri-o/v{{ _crio_version.stdout }}/contrib/cni/11-crio-ipv4-bridge.conf
+    dest: /etc/cni/net.d/100-crio-bridge.conf
+    mode: "0644"
+  notify: Restart crio
+
+- name: Apply container policy from crc
+  become: true
+  ansible.builtin.copy:
+    src: policy.json
+    dest: /etc/containers/policy.json
+  notify: Restart crio
+  when: overwrite_container_policy
+
+- name: Flush handlers
+  meta: flush_handlers

tasks/firewall.yaml

@@ -0,0 +1,27 @@
+---
+- name: Get package facts
+  package_facts:
+
+- name: Add exception to the firewall
+  when: "'firewalld' in ansible_facts.packages"
+  block:
+    - name: Set ports
+      become: true
+      ansible.posix.firewalld:
+        port: "{{ zj_rule_details }}"
+        permanent: "{{ firewalld_rules_permament }}"
+        state: enabled
+      loop:
+        - 80/tcp
+        - 443/tcp
+        - 5353/udp
+      loop_control:
+        loop_var: zj_rule_details
+
+    - name: Add exception to source
+      become: true
+      ansible.posix.firewalld:
+        source: 10.42.0.0/16
+        zone: trusted
+        permanent: "{{ firewalld_rules_permament }}"
+        state: enabled

tasks/main.yaml

@@ -0,0 +1,52 @@
+---
+- name: Check if pull-secret is provided when copr version is disabled
+  ansible.builtin.fail:
+    msg: "You need to provide pull-secret.txt content into the var!"
+  when: not openshift_pull_secret and not use_copr_microshift
+
+- name: Disable selinux
+  ansible.builtin.include_tasks: selinux.yaml
+  when: disable_selinux
+
+- name: Setup Microshift repository
+  ansible.builtin.include_tasks: repo.yaml
+
+- name: Prepare host
+  ansible.builtin.include_tasks: pre.yaml
+
+- name: Disable swap
+  ansible.builtin.include_tasks: swap.yaml
+  when: disable_swap
+
+- name: Setup tools
+  ansible.builtin.include_tasks: tools.yaml
+  when: setup_tools
+
+- name: Prepare cri-o
+  ansible.builtin.include_tasks: crio.yaml
+
+- name: Prepare firewall
+  ansible.builtin.include_tasks: firewall.yaml
+
+- name: Setup Microshift
+  ansible.builtin.include_tasks: microshift.yaml
+
+- name: Provide credentials for restricted regitries
+  ansible.builtin.include_tasks: registry_login.yaml
+  when: not use_copr_microshift
+
+- name: Setup OLM
+  ansible.builtin.include_tasks: olm.yaml
+  when: setup_olm
+
+- name: Create persistent volume
+  ansible.builtin.include_tasks: pv.yaml
+  when: create_pv
+
+- name: Create standard-user and playground namespace
+  ansible.builtin.include_tasks: standard-user.yaml
+  when: standard_user
+
+- name: Delete openshift storage
+  ansible.builtin.include_tasks: openshift-storage.yaml
+  when: delete_openshift_storage

tasks/microshift.yaml

@@ -0,0 +1,49 @@
+---
+- name: Install microshift from Copr
+  when: use_copr_microshift
+  block:
+    - name: Enable copr repository
+      become: true
+      ansible.builtin.shell: |
+        dnf copr enable -y @redhat-et/microshift
+
+    - name: Install microshift package
+      become: true
+      ansible.builtin.yum:
+        name: microshift
+        state: present
+      notify: Restart Microshift
+
+- name: Install microshift package
+  become: true
+  ansible.builtin.yum:
+    name: microshift
+    state: present
+    enablerepo: microshift-rpms,microshift-deps-rpms
+  notify: Restart Microshift
+  when: not use_copr_microshift
+
+- name: Flush handlers
+  meta: flush_handlers
+
+- name: Wait for kubeconfig file after deploying Microshift
+  become: true
+  ansible.builtin.wait_for:
+    path: /var/lib/microshift/resources/kubeadmin/kubeconfig
+    search_regex: microshift
+    delay: 5
+    timeout: 300
+
+- name: Create kube config directory
+  ansible.builtin.file:
+    path: ~/.kube
+    state: directory
+
+- name: Copy kubeconfig
+  become: true
+  ansible.builtin.copy:
+    src: /var/lib/microshift/resources/kubeadmin/kubeconfig
+    dest: "~{{ ansible_user }}/.kube/config"
+    remote_src: true
+    owner: "{{ ansible_user }}"
+    group: "{{ ansible_user }}"

tasks/olm.yaml

@@ -0,0 +1,26 @@
+---
+- name: Clone OLM operator-sdk
+  ansible.builtin.git:
+    repo: "{{ operator_sdk_url }}"
+    dest: "{{ repo_dir }}/operator-sdk"
+    version: "{{ operator_sdk_version }}"
+
+- name: Build Operator SDK
+  community.general.make:
+    target: build
+    chdir: "{{ repo_dir }}/operator-sdk"
+
+- name: Check if OLM is installed
+  ansible.builtin.shell: |
+    build/operator-sdk olm status
+  register: olm_status
+  args:
+    chdir: "{{ repo_dir }}/operator-sdk"
+  failed_when: olm_status.rc not in [0, 1]
+
+- name: Install OLM with SDK
+  ansible.builtin.shell: |
+    build/operator-sdk olm install
+  args:
+    chdir: "{{ repo_dir }}/operator-sdk"
+  when: olm_status.rc != 0

tasks/openshift-storage.yaml

@@ -0,0 +1,15 @@
+---
+# NOTE: The Openshift storage uses topolvm, that requires additional volume,
+# which is not necessary for us, due we mostly use that playbook for CI.
+- name: Check if openshift-storage namespace exists
+  ansible.builtin.command: oc get namespace openshift-storage
+  register: _openshift_storage_ns
+  failed_when: _openshift_storage_ns.rc not in [0, 1]
+
+- name: Delete openshift storage namespace
+  ansible.builtin.command: oc delete namespace openshift-storage
+  when: _openshift_storage_ns.rc == 0
+
+- name: Delete topolvm-provisioner storageclass
+  ansible.builtin.command: oc delete storageclass topolvm-provisioner
+  when: _openshift_storage_ns.rc == 0