-
Notifications
You must be signed in to change notification settings - Fork 2
/
prepare-cluster.yml
131 lines (105 loc) · 4.19 KB
/
prepare-cluster.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
---
- name: Prepare OpenShift cluster to run ManageIQ
hosts: all
environment:
# PATH: $PATH:~/.bin
vars:
pv: |
apiVersion: v1
kind: PersistentVolume
metadata:
name: manageiq
spec:
capacity:
storage: 20Gi
accessModes:
- ReadWriteOnce
hostPath:
path: /home/hild/src/oc/volumes
persistentVolumeReclaimPolicy: Recycle
apiVersion: v1
manage_iq_tasks:
- policy add-role-to-user -n management-infra admin -z management-admin
- policy add-role-to-user -n management-infra management-infra-admin -z management-admin
- policy add-cluster-role-to-user cluster-reader system:serviceaccount:management-infra:management-admin
- policy add-scc-to-user privileged system:serviceaccount:management-infra:management-admin
- policy add-cluster-role-to-user system:image-puller system:serviceaccount:management-infra:inspector-admin
- policy add-scc-to-user privileged system:serviceaccount:management-infra:inspector-admin
- policy add-cluster-role-to-user self-provisioner system:serviceaccount:management-infra:management-admin
- policy add-cluster-role-to-user hawkular-metrics-admin system:serviceaccount:management-infra:management-admin
tasks:
- name: Create temp directory for templates
command: mktemp -d /tmp/openshift-ansible-XXXXXXX
register: mktemp
changed_when: False
- name: Copy App Template
template:
dest: "{{ mktemp.stdout }}/miq-template.yaml"
src: miq-template.yaml
- name: Copy App Template
template:
dest: "{{ mktemp.stdout }}/miq-template-monolithic.yaml"
src: manageiq-pods/templates/miq-template-monolithic.yaml
- name: Copy PV Template
template:
dest: "{{ mktemp.stdout }}/miq-pv.yaml"
src: manageiq-pods/miq-pv-example.yaml
- name: Verify oc version
shell: oc version
register: command_result
failed_when:
- "'oc v1.4' not in command_result.stdout"
- "'oc v1.3' not in command_result.stdout"
changed_when: command_result.rc != 0
- name: Cluster status
shell: oc status
register: command_result
failed_when: false
- name: Startup cluster
shell: oc cluster up
when: "command_result.rc != 0"
- name: Login as developer
shell: oc login -u developer -p developer
register: command_result
changed_when: command_result.rc != 0
- name: Create miq project
shell: oc new-project miq || /bin/true
- name: Test if service account exists
shell: oc get serviceaccount miq-sa
register: serviceaccount
changed_when: false
failed_when: false
- name: Create service account for miq
shell: oc create serviceaccount miq-sa
when: serviceaccount.rc == 1
- name: Login as system:admin
shell: oc login -u system:admin
- name: Add service account to privileged
shell: oadm policy add-scc-to-user privileged system:serviceaccount:miq:default
- name: Add service account to anyuid
shell: oadm policy add-scc-to-user anyuid system:serviceaccount:miq:default
- name: Check for PV
shell: oc get pv
register: command_result
- name: Create Persisten Volume
command: oc create -f {{ mktemp.stdout }}/miq-pv.yaml
when: "'manageiq' not in command_result.stdout"
- name: Login as developer
shell: oc login -u developer -p developer
- name: Remove template
shell: oc delete template manageiq-monolithic || /bin/true
- name: Create Persistent App Template
command: oc create -f {{ mktemp.stdout }}/miq-template-monolithic.yaml
- name: Remove template
shell: oc delete template manageiq || /bin/true
- name: Create App Template
command: oc create -f {{ mktemp.stdout }}/miq-template.yaml
# - name: Configure role/user permissions
# command: oc adm {{item}}
# with_items: "{{manage_iq_tasks}}"
# register: osmiq_perm_task
# failed_when: "'already exists' not in osmiq_perm_task.stderr and osmiq_perm_task.rc != 0"
# changed_when: osmiq_perm_task.rc == 0
# # AUDIT:changed_when_note: Checking the return code is insufficient
# # here. We really need to compare the current role/user permissions
# # with their expected state. I think we may have a module for this?