Configure Satellite using Ansible instead of a script

- remove rhsm_repository module since it is included with Ansible 2.5 - improve test environment - convert katello-rhsm-consumer script to Ansible tasks - gather service and package facts - use ansible_facts dictionary for facts rather than ansible_[fact] - set rhsm_server_prefix, rhsm_repo_ca_cert, and rhsm_full_refresh_on_yum based on portal or satellite registration Change-Id: Ifdbcc3b23d5f6ea68dcf904e40a7f44c4b61622e
2018-10-22 17:26:25 -04:00 · 2018-10-22 17:26:25 -04:00 · f2385c2aa2
commit f2385c2aa2
parent a0c7cfffcc
12 changed files with 108 additions and 296 deletions
--- a/README.md
+++ b/README.md
@ -25,11 +25,11 @@ Role Variables
 | `rhsm_state` | `present` | Whether to enable or disable a Red Hat subscription. |
 | `rhsm_autosubscribe` | `[undefined]` | Whether or not to autosubscribe to available repositories. |
 | `rhsm_consumer_hostname` | `[undefined]` | Name of the system to use when registering. Defaults to using the system hostname if undefined. |
-| `rhsm_force_register` | `[undefined]` | Whether or not to force registration. Will not force registration if undefined. |
+| `rhsm_force_register` | `False` | Whether or not to force registration. |
 | `rhsm_repos` | `[]` | The list of repositories to enable or disable. See `defaults/main.yml` for examples. |
 | `rhsm_rhsm_port` | `443` | Port to use when connecting to subscription server. |
 | `rhsm_server_hostname` | `subscription.rhn.redhat.com` | FQDN of subscription server. |
-| `rhsm_server_prefix` | `/subscription` | Server prefix |
+| `rhsm_server_prefix` | `/subscription` or `/rhsm` | RHS server prefix. `/subscription` when using registering via `portal`, `/rhsm` when registering via `satellite`. |
 | `rhsm_insecure` | `False` | Disable certificate validation. |
 | `rhsm_ssl_verify_depth` | `3` | Depths certificates should be validated when checking. |
 | `rhsm_rhsm_proxy_hostname` | `[undefined]` | FQDN of outbound proxy server. |
@ -39,7 +39,6 @@ Role Variables
 | `rhsm_baseurl` | `https://cdn.redhat.com` | Base URL for content. |
 | `rhsm_satellite_url` | `[see defaults/main.yml]` | URL of the Satellite server that will be probed to determine the Satellite version. Uses the scheme and hostname of `rhsm_baseurl` by default.  |
 | `rhsm_ca_cert_dir` | `/etc/rhsm/ca/` | Server CA certificate directory. |
-| `rhsm_repo_ca_cert` | `%(ca_cert_dir)sredhat-uep.pem` | Default CA to use when generating yum rep configs. |
 | `rhsm_product_cert_dir` | `/etc/pki/product` | Product certificate directory. |
 | `rhsm_entitlement_cert_dir` | `/etc/pki/entitlement` | Entitlement certificate directory. |
 | `rhsm_consumer_cert_dir` | `/etc/pki/consumer` | Consumer certificate directory. |
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -7,6 +7,7 @@

 rhsm_state: present                      # present or absent
 rhsm_method: portal                      # portal or satellite
+rhsm_force_registration: False

 rhsm_repos: []
  # - name: rhel-7-server-extras-rpms     # wildcard or repo name
@ -16,7 +17,7 @@ rhsm_repos: []
 ## /etc/rhsm/rhsm.conf settings
 rhsm_rhsm_port: 443
 rhsm_server_hostname: subscription.rhn.redhat.com
-rhsm_server_prefix: '/subscription'
+rhsm_server_prefix: "{{ '/rhsm' if rhsm_method == 'satellite' else '/subscription' }}"
 rhsm_insecure: False
 rhsm_ssl_verify_depth: 3
 # rhsm_rhsm_proxy_hostname: ""
@ -26,7 +27,6 @@ rhsm_ssl_verify_depth: 3
 rhsm_baseurl: https://cdn.redhat.com
 rhsm_satellite_url: "{{ rhsm_baseurl | urlsplit('scheme') ~ '://' ~ rhsm_baseurl | urlsplit('hostname') }}"
 rhsm_ca_cert_dir: /etc/rhsm/ca/
-rhsm_repo_ca_cert: '%(ca_cert_dir)sredhat-uep.pem'
 rhsm_product_cert_dir: /etc/pki/product
 rhsm_entitlement_cert_dir: /etc/pki/entitlement
 rhsm_consumer_cert_dir: /etc/pki/consumer
--- a/library/rhsm_repository.py
+++ b/library/rhsm_repository.py
@ -1,261 +0,0 @@
-#!/usr/bin/python
-#
-# Copyright (c) 2017 OpenStack Foundation
-# All Rights Reserved.
-#
-#    Licensed under the Apache License, Version 2.0 (the "License"); you may
-#    not use this file except in compliance with the License. You may obtain
-#    a copy of the License at
-#
-#         http://www.apache.org/licenses/LICENSE-2.0
-#
-#    Unless required by applicable law or agreed to in writing, software
-#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
-#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
-#    License for the specific language governing permissions and limitations
-#    under the License.
-
-from __future__ import absolute_import
-from __future__ import division
-from __future__ import print_function
-from ansible.module_utils.basic import AnsibleModule
-from copy import deepcopy
-from fnmatch import fnmatch
-import os
-import re
-
-
-ANSIBLE_METADATA = {'metadata_version': '1.1',
-                    'status': ['preview'],
-                    'supported_by': 'community'}
-
-DOCUMENTATION = '''
---
-module: rhsm_repository
-short_description: Manage RHSM repositories using the subscription-manager
-                   command
-description:
-  - Manage(List/Enable/Disable) RHSM repositories to the Red Hat
-    Subscription Management entitlement platform using the
-    C(subscription-manager) command.
-version_added: '2.5'
-author: Giovanni Sciortino (@giovannisciortino)
-notes:
-  - In order to manage RHSM repositories the system must be already
-    registered to RHSM manually or using the ansible module
-    redhat_subscription.
-  - One option between name and list must be defined, both options in the
-    same task must not be defined.
-
-requirements:
-  - subscription-manager
-options:
-  state:
-    description:
-      - If state is equal to present or disabled, indicates the desired
-        repository state.
-    choices: [present, enabled, absent, disabled]
-    required: True
-    default: "present"
-  name:
-    description:
-      - The ID of repositories to enable.
-      - To operate on several repositories this can accept a comma separated
-        list or a YAML list.
-    required: True
-'''
-
-EXAMPLES = '''
- name: Enable a RHSM repository
-  rhsm_repository:
-    name: rhel-7-server-rpms
-
- name: Disable all Red Hat repositories
-  rhsm_repository:
-    name: '*'
-    state: disabled
-
- name: Enable all repositories starting with rhel-6-server
-  rhsm_repository:
-    name: rhel-6-server*
-    state: enabled
-
- name: Disable all repositories except rhel-7-server-rpms
-  rhsm_repository:
-    name: "{{ item }}"
-    state: disabled
-  with_items: "{{
-    rhsm_repository.repositories |
-    map(attribute='id') |
-    difference(['rhel-7-server-rpms']) }}"
-'''
-
-RETURN = '''
-repositories:
-  description:
-    - The list of Red Hat repositories with their states.
-    - When this module is used to change the repositories states, this list
-      contains the updated states after the changes.
-  returned: success
-  type: list
-'''
-
-
-def run_subscription_manager(module, arguments):
-    # Execute subuscription-manager with arguments and manage common errors
-    rhsm_bin = module.get_bin_path('subscription-manager')
-    if not rhsm_bin:
-        module.fail_json(msg='The executable file subscription-manager was ' +
-                         'not found in PATH')
-
-    rc, out, err = module.run_command("%s %s" % (rhsm_bin,
-                                      " ".join(arguments)))
-
-    if rc == 1 and (err == 'The password you typed is invalid.\nPlease try ' +
-                           'again.\n' or os.getuid() != 0):
-        module.fail_json(msg='The executable file subscription-manager must ' +
-                             'be run using root privileges')
-    elif rc == 0 and (out == 'This system has no repositories available ' +
-                             'through subscriptions.\n'):
-        module.fail_json(msg='This system has no repositories available ' +
-                             'through subscriptions')
-    elif rc == 1:
-        module.fail_json(msg='subscription-manager failed with the ' +
-                             'following error: %s' % err)
-    else:
-        return rc, out, err
-
-
-def get_repository_list(module, list_parameter):
-    # Generate RHSM repository list and return a list of dict
-    if list_parameter == 'list_enabled':
-        rhsm_arguments = ['repos', '--list-enabled']
-    elif list_parameter == 'list_disabled':
-        rhsm_arguments = ['repos', '--list-disabled']
-    elif list_parameter == 'list':
-        rhsm_arguments = ['repos', '--list']
-    rc, out, err = run_subscription_manager(module, rhsm_arguments)
-
-    skip_lines = [
-        '+----------------------------------------------------------+',
-        '    Available Repositories in /etc/yum.repos.d/redhat.repo'
-    ]
-    repo_id_re_str = r'Repo ID:   (.*)'
-    repo_name_re_str = r'Repo Name: (.*)'
-    repo_url_re_str = r'Repo URL:  (.*)'
-    repo_enabled_re_str = r'Enabled:   (.*)'
-
-    repo_id = ''
-    repo_name = ''
-    repo_url = ''
-    repo_enabled = ''
-
-    repo_result = []
-
-    for line in out.split('\n'):
-        if line in skip_lines:
-            continue
-
-        repo_id_re = re.match(repo_id_re_str, line)
-        if repo_id_re:
-            repo_id = repo_id_re.group(1)
-            continue
-
-        repo_name_re = re.match(repo_name_re_str, line)
-        if repo_name_re:
-            repo_name = repo_name_re.group(1)
-            continue
-
-        repo_url_re = re.match(repo_url_re_str, line)
-        if repo_url_re:
-            repo_url = repo_url_re.group(1)
-            continue
-
-        repo_enabled_re = re.match(repo_enabled_re_str, line)
-        if repo_enabled_re:
-            repo_enabled = repo_enabled_re.group(1)
-
-        repo = {
-            "id": repo_id,
-            "name": repo_name,
-            "url": repo_url,
-            "enabled": True if repo_enabled == '1' else False
-        }
-        repo_result.append(repo)
-    return repo_result
-
-
-def repository_modify(module, state, name):
-    name = set(name)
-    current_repo_list = get_repository_list(module, 'list')
-    updated_repo_list = deepcopy(current_repo_list)
-    matched_existing_repo = {}
-    for repoid in name:
-        matched_existing_repo[repoid] = []
-        for idx, repo in enumerate(current_repo_list):
-            if fnmatch(repo['id'], repoid):
-                matched_existing_repo[repoid].append(repo)
-                # Update current_repo_list to return it as result variable
-                if state == 'enabled':
-                    updated_repo_list[idx]['enabled'] = True
-                else:
-                    updated_repo_list[idx]['enabled'] = False
-
-    changed = False
-    results = []
-    diff_before = ""
-    diff_after = ""
-    rhsm_arguments = ['repos']
-
-    for repoid in matched_existing_repo:
-        if len(matched_existing_repo[repoid]) == 0:
-            results.append("%s is not a valid repository ID" % repoid)
-            module.fail_json(results=results,
-                             msg="%s is not a valid repository ID" % repoid)
-        for repo in matched_existing_repo[repoid]:
-            if state in ['disabled', 'absent']:
-                if repo['enabled']:
-                    changed = True
-                    diff_before += "Repository '%s' is enabled" % repo['id']
-                    diff_after += "Repository '%s' is disabled" % repo['id']
-                results.append(
-                    "Repository '%s' is disabled for this system" % repo['id'])
-                rhsm_arguments += ['--disable', repo['id']]
-            elif state in ['enabled', 'present']:
-                if not repo['enabled']:
-                    changed = True
-                    diff_before += "Repository '%s' is disabled" % repo['id']
-                    diff_after += "Repository '%s' is enabled" % repo['id']
-                results.append(
-                    "Repository '%s' is enabled for this system" % repo['id'])
-                rhsm_arguments += ['--enable', repo['id']]
-
-    diff = {'before': diff_before,
-            'after': diff_after,
-            'before_header': "RHSM repositories",
-            'after_header': "RHSM repositories"}
-
-    if not module.check_mode:
-        rc, out, err = run_subscription_manager(module, rhsm_arguments)
-        results = out.split('\n')
-    module.exit_json(results=results, changed=changed,
-                     repositories=updated_repo_list, diff=diff)
-
-
-def main():
-    module = AnsibleModule(
-        argument_spec=dict(
-            name=dict(type='list', required=True),
-            state=dict(choices=['enabled', 'present', 'disabled', 'absent'],
-                       default='enabled'),
-        ),
-        supports_check_mode=True,
-    )
-    name = module.params['name']
-    state = module.params['state']
-
-    repository_modify(module, state, name)
-
-
-if __name__ == '__main__':
-    main()
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,6 +1,6 @@
 - name: Ensure this is Red Hat
  assert:
-    that: "ansible_distribution == 'RedHat'"
+    that: "ansible_facts.distribution == 'RedHat'"
  tags:
    - rhsm

--- a/tasks/satellite-6.yml
+++ b/tasks/satellite-6.yml
@ -1,15 +1,46 @@
- name: SATELLITE 6 | Install katello RPM
+- name: SATELLITE 6 | Set Satellite server CA as a fact
+  set_fact:
+    rhsm_katello_ca: "{{ lookup('url', rhsm_satellite_url ~ '/pub/katello-server-ca.crt',  validate_certs=False, split_lines=False) }}"
+
+- block:
+    - name: Ensure appropriate version of subscription-manager is installed
+      assert:
+        fail_msg: The installed version of subscription-manager is too old.
+        that:
+          - packages['subscription-manager'][0]['version'] is version_compare('1.10', '>=')
+  rescue:
+    - name: Attempt to update subscription-manager
      yum:
-    name: "{{ rhsm_satellite_url }}/pub/katello-ca-consumer-latest.noarch.rpm"
-    state: present
-    validate_certs: "{{ not rhsm_insecure }}"
+        name: subscription-manager
+        state: latest

- name: SATELLITE 6 | Get Satellite certificates
-  get_url:
-    url: "{{ rhsm_satellite_url }}//pub/katello-rhsm-consumer"
-    dest: /tmp/katello-rhsm-consumer
+    - name: Ensure appropriate version of subscription-manager is installed
+      assert:
+        fail_msg: The installed version of subscription-manager is too old.
+        that:
+          - packages['subscription-manager'][0]['version'] is version_compare('1.10', '>=')

- name: SATELLITE 6 | Run katello script
-  command: bash /tmp/katello-rhsm-consumer
-  args:
-    creates: /etc/rhsm/ca/katello-server-ca.pem
+- name: SATELLITE 6 | Set RHSM facts
+  copy:
+    content: "{{ rhsm_facts | to_json }}\n"
+    dest: /etc/rhsm/facts/katello.facts
+  vars:
+    rhsm_facts:
+      network.hostname-override: "{{ ansible_facts.fqdn }}"
+
+- name: Configure yum plugins
+  ini_file:
+    path: /etc/yum/pluginconf.d/{{ item.file }}
+    section: "{{ item.section | default('main') }}"
+    option: "{{ item.option }}"
+    value: "{{ item.value }}"
+  loop: "{{ rhsm_yum_plugins }}"
+
+- name: SATELLITE 6 | Install CA certificates
+  copy:
+    content: "{{ rhsm_katello_ca }}\n"
+    dest: /etc/rhsm/ca/{{ item }}
+    owner: root
+    group: root
+    mode: 0644
+  loop: "{{ rhsm_ca_files }}"
--- a/tasks/satellite.yml
+++ b/tasks/satellite.yml
@ -18,13 +18,32 @@
  tags:
    - rhsm_satellite

+- name: SATELLITE | Gather service facts
+  service_facts:
+
+- name: SATELLITE | Set list of services as a fact
+  set_fact:
+    service_list: "{{ services.keys() | list | replace('.service', '') }}"
+
+- name: SATELLITE | Gather package facts
+  package_facts:
+
+- name: SATELLITE | Start and enable rhsmcertsd
+  service:
+    name: rhsmcertd
+    state: started
+    enabled: yes
+  when: "'rhsmcertd' in service_list"
+
 - name: SATELLITE | Set Satellite version
  set_fact:
    rhsm_satellite_version: "{% if _sat5_check['status'] == 200 %}5{% elif _sat6_check['status'] == 200 %}6{% endif %}"
  tags:
    - rhsm_satellite

- include_tasks: satellite-{{ rhsm_satellite_version }}.yml
+- name: SATELLITE | Run Satellite {{ rhsm_satellite_version}} tasks
+  include_tasks: satellite-{{ rhsm_satellite_version }}.yml
+  when: rhsm_state == 'present'
  tags:
    - rhsm_satellite

--- a/tests/Vagrantfile
+++ b/tests/Vagrantfile
@ -7,7 +7,7 @@ Vagrant.configure(2) do |config|
    config.vm.provider "virtualbox" do |vbox|
      vbox.name = "rhsm-rhel6"
      vbox.cpus = 1
-      vbox.memory = 256
+      vbox.memory = 1024
    end
  end

@ -18,14 +18,12 @@ Vagrant.configure(2) do |config|
    config.vm.provider "virtualbox" do |vbox|
      vbox.name = "rhsm-rhel7"
      vbox.cpus = 1
-      vbox.memory = 128
+      vbox.memory = 1024
    end
  end

  config.vm.provision "ansible" do |ansible|
    ansible.playbook = 'vagrant.yml'
-    ansible.extra_vars = 'vars.yml'
    ansible.compatibility_mode = '2.0'
  end
-
 end
--- a/tests/ansible.cfg
+++ b/tests/ansible.cfg
@ -0,0 +1,6 @@
+[defaults]
+inventory = .vagrant/provisioners/ansible/inventory/vagrant_ansible_inventory
+roles_path = ../../
+stdout_callback = debug
+retry_files = False
+host_key_checking = False
--- a/tests/inventory
+++ b/tests/inventory
@ -1 +0,0 @@
-localhost
--- a/tests/test.yml
+++ b/tests/test.yml
@ -1,4 +0,0 @@
- hosts: localhost
-  remote_user: root
-  roles:
-    - redhat-subscription
--- a/tests/vagrant.yml
+++ b/tests/vagrant.yml
@ -3,12 +3,23 @@
  become: yes

  vars:
-    rhsm_state: present
-    rhsm_repos:
-      - name: rhel-7-server-extras-rpms
+    rhsm_username: "{{ lookup('env', 'RHSM_USERNAME') }}"
+    rhsm_password: "{{ lookup('env', 'RHSM_PASSWORD') }}"
+    rhsm_pool_ids: "{{ lookup('env', 'RHSM_POOL_ID') }}"
+    rhsm_state: absent
+    # rhsm_force_register: yes
+    rhsm_repos: "{{ repos[ansible_distribution ~ '-' ~ ansible_distribution_major_version] }}"
+
+    repos:
+      RedHat-6:
+        - name: rhel-{{ ansible_distribution_major_version }}-server-extras-rpms
          state: present
-      - name: rhel-7-server-rh-common-rpms
-      - name: rhel-7-server-openstack-8-rpms
+        - name: rhel-{{ ansible_distribution_major_version }}-server-rh-common-rpms
+      RedHat-7:
+        - name: rhel-{{ ansible_distribution_major_version }}-server-extras-rpms
+          state: present
+        - name: rhel-{{ ansible_distribution_major_version }}-server-rh-common-rpms
+        - name: rhel-{{ ansible_distribution_major_version }}-server-openstack-12-tools-rpms

  roles:
    - ansible-role-redhat-subscription
--- a/vars/main.yml
+++ b/vars/main.yml
@ -0,0 +1,14 @@
+rhsm_repo_ca_cert: "{{ '%(ca_cert_dir)s' ~ ('katello-server-ca.pem' if rhsm_method == 'satellite' else 'chemeredhat-uep.pem') }}"
+rhsm_full_refresh_on_yum: "{{ 1 if rhsm_method == 'satellite' else 0 }}"
+rhsm_yum_plugins:
+  - file: product-id.conf
+    option: enabled
+    value: 1
+
+  - file: subscription-manager.conf
+    option: enabled
+    value: 1
+
+rhsm_ca_files:
+  - katello-server-ca.pem
+  - katello-default-ca.pem