353 lines
11 KiB
YAML
353 lines
11 KiB
YAML
---
|
|
#
|
|
# Copyright (c) 2019 Wind River Systems, Inc.
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
#
|
|
# ROLE DESCRIPTION:
|
|
# This role is to persist the bootstrap configurations on filesystem and
|
|
# system inventory database.
|
|
#
|
|
|
|
# Keyring config
|
|
- block:
|
|
- name: Check if keyring data has been persisted
|
|
stat:
|
|
path: "{{ keyring_workdir }}"
|
|
register: tmp_keyring
|
|
|
|
- block:
|
|
- name: Delete the previous python_keyring directory if exists
|
|
file:
|
|
path: "{{ keyring_permdir + '/' + keyring_workdir | basename }}"
|
|
state: absent
|
|
|
|
- name: Persist keyring data
|
|
command: "mv {{ keyring_workdir }} {{ keyring_permdir }}"
|
|
when: tmp_keyring.stat.exists
|
|
when: save_password
|
|
|
|
- name: Ensure replicated config parent directories exist
|
|
file:
|
|
path: "{{ item.path }}"
|
|
state: directory
|
|
recurse: yes
|
|
owner: "{{ item.owner }}"
|
|
group: "{{ item.group }}"
|
|
mode: 0755
|
|
with_items:
|
|
- { path: "{{ config_permdir }}", owner: "root", group: "root" }
|
|
- { path: "{{ sysinv_permdir }}", owner: "sysinv", group: "sysinv" }
|
|
|
|
- name: Get list of new config files
|
|
find:
|
|
paths: "{{ config_workdir }}"
|
|
file_type: any
|
|
register: config_find
|
|
|
|
- block:
|
|
- name: Remove existing config files from permanent location
|
|
file:
|
|
path: "{{ config_permdir }}/{{ item.path | basename}}"
|
|
state: absent
|
|
with_items: "{{ config_find.files }}"
|
|
|
|
- name: Move new config files to permanent location
|
|
# Can't use command module due to wildcard
|
|
shell: mv {{ config_workdir }}/* {{ config_permdir }}
|
|
|
|
- name: Delete working config directory
|
|
file:
|
|
path: "{{ config_workdir }}"
|
|
state: absent
|
|
when: config_find.matched != 0
|
|
|
|
# Postgres, PXE, Branding, Grub config tasks and filesystem resizing are
|
|
# moved to a separate file as they don't need to be executed again once the
|
|
# controller-0 host has been created.
|
|
- include: one_time_config_tasks.yml
|
|
when: not initial_db_populated
|
|
|
|
# Banner customization is not part of one_time_config_task.yml as the user may
|
|
# choose to change their banner look and feel and replay.
|
|
- name: Check if custom banner exists
|
|
stat:
|
|
path: /opt/banner
|
|
register: banner_result
|
|
|
|
- block:
|
|
- name: Apply custom banner
|
|
shell:
|
|
/usr/sbin/apply_banner_customization /opt/banner > /tmp/apply_banner_customization.log
|
|
failed_when: false
|
|
register: banner_apply
|
|
|
|
- name: Fail if banner customization failed
|
|
fail:
|
|
msg: "Failed to apply banner customization. See /tmp/apply_banner_customization.log for details."
|
|
when: banner_apply.rc != 0
|
|
when: banner_result.stat.exists and banner_result.stat.isdir
|
|
|
|
# Shut down services if there are services impacting config changes in
|
|
# this replay or previous bootstrap did not complete for whatever reason.
|
|
- name: Shuting down services for reconfiguration as required
|
|
include: shutdown_services.yml
|
|
when: restart_services
|
|
|
|
- name: Find old registry secrets in Barbican
|
|
shell: "{{ item }}"
|
|
failed_when: false
|
|
with_items:
|
|
- "source /etc/platform/openrc; openstack secret list -c 'Secret href' -n k8s-registry-secret -f value"
|
|
- "source /etc/platform/openrc; openstack secret list -c 'Secret href' -n gcr-registry-secret -f value"
|
|
- "source /etc/platform/openrc; openstack secret list -c 'Secret href' -n quay-registry-secret -f value"
|
|
- "source /etc/platform/openrc; openstack secret list -c 'Secret href' -n docker-registry-secret -f value"
|
|
- "source /etc/platform/openrc; openstack secret list -c 'Secret href' -n elastic-registry-secret -f value"
|
|
register: old_barbican_secrets
|
|
|
|
- name: Delete old registry secrets in Barbican
|
|
shell: "source /etc/platform/openrc; openstack secret delete {{ item }}"
|
|
with_items:
|
|
- "{{ old_barbican_secrets.results | map(attribute='stdout_lines') | flatten }}"
|
|
|
|
# need to do this here to get the barbican secret id for sysinv
|
|
- block:
|
|
- name: Create Barbican secret for k8s registry if credentials exist
|
|
shell: "source /etc/platform/openrc; openstack secret store -n k8s-registry-secret
|
|
-p 'username:{{ k8s_registry['username'] }} password:{{ k8s_registry['password'] }}' -c 'Secret href' -f value"
|
|
register: k8s_registry_secret_output
|
|
|
|
- set_fact:
|
|
k8s_registry_secret: "{{ k8s_registry_secret_output.stdout }}"
|
|
|
|
when: k8s_registry.username is defined
|
|
|
|
- block:
|
|
- name: Create Barbican secret for gcr registry if credentials exist
|
|
shell: "source /etc/platform/openrc; openstack secret store -n gcr-registry-secret
|
|
-p 'username:{{ gcr_registry['username'] }} password:{{ gcr_registry['password'] }}' -c 'Secret href' -f value"
|
|
register: gcr_registry_secret_output
|
|
|
|
- set_fact:
|
|
gcr_registry_secret: "{{ gcr_registry_secret_output.stdout }}"
|
|
|
|
when: gcr_registry.username is defined
|
|
|
|
- block:
|
|
- name: Create Barbican secret for quay registry if credentials exist
|
|
shell: "source /etc/platform/openrc; openstack secret store -n quay-registry-secret
|
|
-p 'username:{{ quay_registry['username'] }} password:{{ quay_registry['password'] }}' -c 'Secret href' -f value"
|
|
register: quay_registry_secret_output
|
|
|
|
- set_fact:
|
|
quay_registry_secret: "{{ quay_registry_secret_output.stdout }}"
|
|
|
|
when: quay_registry.username is defined
|
|
|
|
- block:
|
|
- name: Create Barbican secret for docker registry if credentials exist
|
|
shell: "source /etc/platform/openrc; openstack secret store -n docker-registry-secret
|
|
-p 'username:{{ docker_registry['username'] }} password:{{ docker_registry['password'] }}'
|
|
-c 'Secret href' -f value"
|
|
register: docker_registry_secret_output
|
|
|
|
- set_fact:
|
|
docker_registry_secret: "{{ docker_registry_secret_output.stdout }}"
|
|
|
|
when: docker_registry.username is defined
|
|
|
|
- block:
|
|
- name: Create Barbican secret for elastic registry if credentials exist
|
|
shell: "source /etc/platform/openrc; openstack secret store -n elastic-registry-secret
|
|
-p 'username:{{ docker_registry['username'] }} password:{{ docker_registry['password'] }}'
|
|
-c 'Secret href' -f value"
|
|
register: elastic_registry_secret_output
|
|
|
|
- set_fact:
|
|
elastic_registry_secret: "{{ elastic_registry_secret_output.stdout }}"
|
|
|
|
when: elastic_registry.username is defined
|
|
|
|
- name: Append config ini file with Barbican secret uuid
|
|
lineinfile:
|
|
path: "{{ config_permdir + '/' + bootstrap_config_file|basename }}"
|
|
line: "{{ item }}"
|
|
with_items:
|
|
- "K8S_REGISTRY_SECRET={{ k8s_registry_secret | default('none') }}"
|
|
- "GCR_REGISTRY_SECRET={{ gcr_registry_secret | default('none') }}"
|
|
- "QUAY_REGISTRY_SECRET={{ quay_registry_secret | default('none') }}"
|
|
- "DOCKER_REGISTRY_SECRET={{ docker_registry_secret | default('none') }}"
|
|
- "ELASTIC_REGISTRY_SECRET={{ elastic_registry_secret | default('none') }}"
|
|
|
|
- include: update_sysinv_database.yml
|
|
when: save_config_to_db
|
|
|
|
|
|
# Update docker and containerd config files and restart docker and containerd
|
|
# if docker proxy is configured
|
|
- block:
|
|
- name: Ensure docker and containerd config directory exist
|
|
file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: 0755
|
|
with_items:
|
|
- /etc/systemd/system/docker.service.d
|
|
- /etc/systemd/system/containerd.service.d
|
|
|
|
- name: Ensure docker and containerd proxy config exist
|
|
copy:
|
|
content: ""
|
|
dest: "{{ item }}"
|
|
force: no
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
remote_src: yes
|
|
with_items:
|
|
- "{{ docker_proxy_conf }}"
|
|
- "{{ containerd_proxy_conf }}"
|
|
|
|
- name: Write header to docker and containerd proxy conf files
|
|
lineinfile:
|
|
path: "{{ item }}"
|
|
line: "[Service]"
|
|
with_items:
|
|
- "{{ docker_proxy_conf }}"
|
|
- "{{ containerd_proxy_conf }}"
|
|
|
|
- name: Add http proxy URL to docker and containerd proxy conf files
|
|
lineinfile:
|
|
path: "{{ item }}"
|
|
line: "Environment='HTTP_PROXY={{ docker_http_proxy }}'"
|
|
with_items:
|
|
- "{{ docker_proxy_conf }}"
|
|
- "{{ containerd_proxy_conf }}"
|
|
when: docker_http_proxy != 'undef'
|
|
|
|
- name: Add https proxy URL to docker and containerd proxy conf files
|
|
lineinfile:
|
|
path: "{{ item }}"
|
|
line: "Environment='HTTPS_PROXY={{ docker_https_proxy }}'"
|
|
with_items:
|
|
- "{{ docker_proxy_conf }}"
|
|
- "{{ containerd_proxy_conf }}"
|
|
when: docker_https_proxy != 'undef'
|
|
|
|
- name: Add no proxy address list to docker and containerd proxy config files
|
|
lineinfile:
|
|
path: "{{ item }}"
|
|
line: "Environment='NO_PROXY={{ docker_no_proxy_combined | join(',') }}'"
|
|
with_items:
|
|
- "{{ docker_proxy_conf }}"
|
|
- "{{ containerd_proxy_conf }}"
|
|
|
|
- name: Restart Docker and containerd
|
|
systemd:
|
|
state: restarted
|
|
daemon_reload: yes
|
|
name: "{{ item }}"
|
|
with_items:
|
|
- docker
|
|
- containerd
|
|
|
|
when: use_docker_proxy
|
|
|
|
|
|
# Install certificate if SSL CA certifcate is configured
|
|
- block:
|
|
- name: Copy ssl_ca certificate
|
|
copy:
|
|
src: "{{ ssl_ca_cert }}"
|
|
dest: "{{ temp_ssl_ca }}"
|
|
|
|
- name: Remove ssl_ca complete flag
|
|
file:
|
|
path: "{{ ssl_ca_complete_flag }}"
|
|
state: absent
|
|
|
|
- name: Add ssl_ca certificate
|
|
shell: source /etc/platform/openrc; system certificate-install -m ssl_ca {{ temp_ssl_ca }}
|
|
|
|
- name: Wait for certificate install
|
|
wait_for:
|
|
path: "{{ ssl_ca_complete_flag }}"
|
|
state: present
|
|
timeout: 360
|
|
msg: Timeout waiting for ssl_ca certificate install
|
|
|
|
- name: Cleanup temporary certificate
|
|
file:
|
|
path: "{{ temp_ssl_ca }}"
|
|
state: absent
|
|
|
|
when: ssl_ca_cert is defined and ssl_ca_cert
|
|
|
|
# PXE boot files
|
|
- name: Set pxeboot files source if address allocation is dynamic
|
|
set_fact:
|
|
pxe_default: pxelinux.cfg.files/default
|
|
pxe_grub_cfg: pxelinux.cfg.files/grub.cfg
|
|
when: management_dynamic_address_allocation
|
|
|
|
- name: Set pxeboot files source if address allocation is static
|
|
set_fact:
|
|
pxe_default: pxelinux.cfg.files/default.static
|
|
pxe_grub_cfg: pxelinux.cfg.files/grub.cfg.static
|
|
when: not management_dynamic_address_allocation
|
|
|
|
- name: Set pxeboot files symlinks
|
|
file:
|
|
src: "/pxeboot/{{ item.src }}"
|
|
dest: "/pxeboot/{{ item.dest }}"
|
|
state: link
|
|
force: yes
|
|
with_items:
|
|
- { src: '{{ pxe_default }}', dest: 'pxelinux.cfg/default' }
|
|
- { src: '{{ pxe_grub_cfg }}', dest: 'pxelinux.cfg/grub.cfg' }
|
|
|
|
- name: Update the management_interface in platform.conf
|
|
lineinfile:
|
|
path: /etc/platform/platform.conf
|
|
regexp: "management_interface"
|
|
line: "management_interface=lo"
|
|
|
|
- name: Add new entries to platform.conf
|
|
lineinfile:
|
|
path: /etc/platform/platform.conf
|
|
line: "{{ item }}"
|
|
with_items:
|
|
- region_config={{ region_config }}
|
|
- sw_version={{ software_version }}
|
|
- vswitch_type=none
|
|
|
|
- name: Ensure distributed cloud role is removed from platform.conf
|
|
lineinfile:
|
|
path: /etc/platform/platform.conf
|
|
regexp: '^distributed_cloud_role'
|
|
state: absent
|
|
when: distributed_cloud_role == 'none'
|
|
|
|
- name: Add distributed cloud role to platform.conf
|
|
lineinfile:
|
|
path: /etc/platform/platform.conf
|
|
line: distributed_cloud_role={{ distributed_cloud_role }}
|
|
when: distributed_cloud_role != 'none'
|
|
|
|
- name: Update resolv.conf with list of dns servers
|
|
lineinfile:
|
|
path: /etc/resolv.conf
|
|
line: "nameserver {{ item }}"
|
|
with_items: "{{ dns_servers }}"
|
|
|
|
- name: Remove localhost address from resolv.conf
|
|
lineinfile:
|
|
path: /etc/resolv.conf
|
|
regex: "nameserver ::1"
|
|
state: absent
|
|
|
|
- name: Invalidate name service caching server
|
|
command: nscd -i hosts
|