ansible-playbooks/playbookconfig/src/playbooks/roles/bootstrap/bringup-essential-services/tasks/bringup_helm.yml

289 lines
8.1 KiB
YAML

---
#
# Copyright (c) 2019 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# SUB-TASKS DESCRIPTION:
# Bring up Helm
# - Set up needed directories
# - Pull Tiller and Armada images
# - Create service account and cluster role binding
# - Initialize Helm
# - Restart lighttpd
# - Generate repo index on target
# - Add local helm repo
# - Stop lighttpd
# - Bind mount
# - Generate repo index on source
#
- name: Create www group
group:
name: www
gid: 1877
state: present
- name: Create www user in preparation for Helm bringup
user:
name: www
uid: 1877
group: www
groups: sys_protected
shell: /sbin/nologin
state: present
- name: Ensure /www/tmp exists
file:
path: /www/tmp
state: directory
recurse: yes
owner: www
group: root
# mode: 1700
- name: Ensure /www/var exists
file:
path: "{{ item }}"
state: directory
recurse: yes
owner: www
group: root
with_items:
- /www/var
- /www/var/log
- name: Set up lighttpd.conf
copy:
src: "{{ lighttpd_conf_template }}"
dest: /etc/lighttpd/lighttpd.conf
remote_src: yes
mode: 0640
# TODO(tngo): Check if enable_https should be configurable..
# Resort to sed due to replace/lineinfile module deficiency
- name: Update lighttpd.conf
command: "{{ item }}"
args:
warn: false
with_items:
- "sed -i -e 's|<%= @http_port %>|'$PORT_NUM'|g' /etc/lighttpd/lighttpd.conf"
- "sed -i '/@enable_https/,/% else/d' /etc/lighttpd/lighttpd.conf"
- "sed -i '/@tmp_object/,/%- end/d' /etc/lighttpd/lighttpd.conf"
- "sed -i '/<% end/d' /etc/lighttpd/lighttpd.conf"
- "sed -i '/@tpm_object/,/%- end/d' /etc/lighttpd/lighttpd.conf"
environment:
PORT_NUM: 80
- name: Set up lighttpd-inc.conf
copy:
src: "{{ lighttpd_inc_conf_template }}"
dest: /etc/lighttpd/lighttpd-inc.conf
remote_src: yes
mode: 0640
- name: Update management subnet in lighttpd-inc.conf
replace:
path: /etc/lighttpd/lighttpd-inc.conf
regexp: "var.management_ip_network =.*$"
replace: 'var.management_ip_network = "{{ management_subnet }}"'
- name: Update pxe subnet in lighttp-inc.conf
replace:
path: /etc/lighttpd/lighttpd-inc.conf
regexp: "var.pxeboot_ip_network =.*$"
replace: 'var.pxeboot_ip_network = "{{ pxeboot_subnet }}"'
- name: Update Tiller and Armada image tags
set_fact:
tiller_img: "{{ tiller_img | regex_replace('gcr.io', '{{ gcr_registry.url }}') }}"
armada_img: "{{ armada_img | regex_replace('quay.io', '{{ quay_registry.url }}') }}"
- name: log in to gcr registry if credentials exist
docker_login:
registry: "{{ gcr_registry['url'] }}"
username: "{{ gcr_registry['username'] }}"
password: "{{ gcr_registry['password'] }}"
when: gcr_registry.username is defined
- name: log in to quay registry if credentials exist
docker_login:
registry: "{{ quay_registry['url'] }}"
username: "{{ quay_registry['username'] }}"
password: "{{ quay_registry['password'] }}"
when: quay_registry.username is defined
- name: Pull Tiller and Armada images
docker_image:
name: "{{ item }}"
with_items:
- "{{ tiller_img }}"
- "{{ armada_img }}"
- name: log out of gcr registry if credentials exist
docker_login:
registry: "{{ gcr_registry['url'] }}"
state: absent
when: gcr_registry.username is defined
- name: log out of quay registry if credentials exist
docker_login:
registry: "{{ quay_registry['url'] }}"
state: absent
when: quay_registry.username is defined
- name: Create source and target helm bind directories
file:
path: "{{ item }}"
state: directory
owner: www
group: root
mode: 0755
with_items:
- "{{ source_helm_bind_dir }}"
- "{{ target_helm_bind_dir }}"
- name: Create helm repository directories
file:
path: "{{ item }}"
state: directory
owner: www
group: root
mode: 0755
with_items:
- "{{ source_helm_bind_dir }}/{{ helm_repo_name_apps }}"
- "{{ source_helm_bind_dir }}/{{ helm_repo_name_platform }}"
- name: Create service account for Tiller
command: >
kubectl --kubeconfig=/etc/kubernetes/admin.conf create serviceaccount
--namespace kube-system tiller
- name: Patch pull secret into tiller service account
command: >
kubectl --kubeconfig=/etc/kubernetes/admin.conf patch serviceaccount
tiller -p '{"imagePullSecrets": [{"name": "gcr-registry-secret"}]}' -n kube-system
- name: Create cluster role binding for Tiller service account
command: >
kubectl --kubeconfig=/etc/kubernetes/admin.conf create clusterrolebinding
tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
- name: Initialize Helm (local host)
command: >-
helm init --skip-refresh --service-account tiller --node-selectors
"node-role.kubernetes.io/master"="" --tiller-image={{ tiller_img }}
--override spec.template.spec.hostNetwork=true
become_user: sysadmin
environment:
KUBECONFIG: /etc/kubernetes/admin.conf
HOME: /home/sysadmin
when: inventory_hostname == 'localhost'
# Workaround for helm init remotely. Not sure why the task cannot be executed
# successfully as sysadmin on remote host.
- block:
- name: Initialize Helm (remote host)
command: >-
helm init --skip-refresh --service-account tiller --node-selectors
"node-role.kubernetes.io/master"="" --tiller-image={{ tiller_img }}
--override spec.template.spec.hostNetwork=true
environment:
KUBECONFIG: /etc/kubernetes/admin.conf
HOME: /home/sysadmin
- name: Change helm directory ownership (remote host)
file:
dest: /home/sysadmin/.helm
owner: sysadmin
group: sys_protected
mode: 0755
recurse: yes
when: inventory_hostname != 'localhost'
- name: Generate Helm repo indicies
command: helm repo index "{{ source_helm_bind_dir }}/{{ item }}"
become_user: www
with_items:
- "{{ helm_repo_name_apps }}"
- "{{ helm_repo_name_platform }}"
- name: Stop lighttpd
systemd:
name: lighttpd
state: stopped
- name: Disable lighttpd
# Systemd module does not support disabled state. Resort to command
command: systemctl disable lighttpd
- name: Bind mount on {{ target_helm_bind_dir }}
# Due to deficiency of mount module, resort to command for now
command: mount -o bind -t ext4 {{ source_helm_bind_dir }} {{ target_helm_bind_dir }}
args:
warn: false
- name: Enable lighttpd
command: systemctl enable lighttpd
- name: Restart lighttpd for Helm
systemd:
name: lighttpd
state: restarted
- name: Add Helm repos (local host)
command: helm repo add "{{ item }}" "http://127.0.0.1:$PORT/helm_charts/{{ item }}"
become_user: sysadmin
environment:
KUBECONFIG: /etc/kubernetes/admin.conf
HOME: /home/sysadmin
PORT: 80
with_items:
- "{{ helm_repo_name_apps }}"
- "{{ helm_repo_name_platform }}"
when: inventory_hostname == 'localhost'
# Workaround for helm repo add remotely
- block:
- name: Add Helm repos (remote host)
command: helm repo add "{{ item }}" "http://127.0.0.1:$PORT/helm_charts/{{ item }}"
environment:
KUBECONFIG: /etc/kubernetes/admin.conf
HOME: /home/sysadmin
PORT: 80
with_items:
- "{{ helm_repo_name_apps }}"
- "{{ helm_repo_name_platform }}"
- name: Change helm directory ownership to pick up newly generated files (remote host)
file:
dest: /home/sysadmin/.helm
owner: sysadmin
group: sys_protected
mode: 0755
recurse: yes
when: inventory_hostname != 'localhost'
- name: Update info of available charts locally from chart repos
command: helm repo update
become_user: sysadmin
when: inventory_hostname == 'localhost'
# Workaround for helm update remotely. Not sure why the task cannot be executed
# successfully as sysadmin on remote host.
- block:
- name: Update info of available charts locally from chart repos (remote host)
command: helm repo update
environment:
HOME: /home/sysadmin
- name: Change helm directory ownership (remote host)
file:
dest: /home/sysadmin/.helm
owner: sysadmin
group: sys_protected
mode: 0755
recurse: yes
when: inventory_hostname != 'localhost'