starlingx
/
ansible-playbooks
Code Issues Proposed changes
ansible-playbooks/playbookconfig/src/playbooks/roles/bootstrap/persist-config/tasks/main.yml

353 lines
11 KiB
YAML
Raw Blame History

---
#
# Copyright (c) 2019 Wind River Systems, Inc.
#
# SPDX-License-Identifier: Apache-2.0
#
# ROLE DESCRIPTION:
# This role is to persist the bootstrap configurations on filesystem and
# system inventory database.
#
# Keyring config
- block:
- name: Check if keyring data has been persisted
stat:
path: "{{ keyring_workdir }}"
register: tmp_keyring
- block:
- name: Delete the previous python_keyring directory if exists
file:
path: "{{ keyring_permdir + '/' + keyring_workdir | basename }}"
state: absent
- name: Persist keyring data
command: "mv {{ keyring_workdir }} {{ keyring_permdir }}"
when: tmp_keyring.stat.exists
when: save_password
- name: Ensure replicated config parent directories exist
file:
path: "{{ item.path }}"
state: directory
recurse: yes
owner: "{{ item.owner }}"
group: "{{ item.group }}"
mode: 0755
with_items:
- { path: "{{ config_permdir }}", owner: "root", group: "root" }
- { path: "{{ sysinv_permdir }}", owner: "sysinv", group: "sysinv" }
- name: Get list of new config files
find:
paths: "{{ config_workdir }}"
file_type: any
register: config_find
- block:
- name: Remove existing config files from permanent location
file:
path: "{{ config_permdir }}/{{ item.path | basename}}"
state: absent
with_items: "{{ config_find.files }}"
- name: Move new config files to permanent location
# Can't use command module due to wildcard
shell: mv {{ config_workdir }}/* {{ config_permdir }}
- name: Delete working config directory
file:
path: "{{ config_workdir }}"
state: absent
when: config_find.matched != 0
# Postgres, PXE, Branding, Grub config tasks and filesystem resizing are
# moved to a separate file as they don't need to be executed again once the
# controller-0 host has been created.
- include: one_time_config_tasks.yml
when: not initial_db_populated
# Banner customization is not part of one_time_config_task.yml as the user may
# choose to change their banner look and feel and replay.
- name: Check if custom banner exists
stat:
path: /opt/banner
register: banner_result
- block:
- name: Apply custom banner
shell:
/usr/sbin/apply_banner_customization /opt/banner > /tmp/apply_banner_customization.log
failed_when: false
register: banner_apply
- name: Fail if banner customization failed
fail:
msg: "Failed to apply banner customization. See /tmp/apply_banner_customization.log for details."
when: banner_apply.rc != 0
when: banner_result.stat.exists and banner_result.stat.isdir
# Shut down services if there are services impacting config changes in
# this replay or previous bootstrap did not complete for whatever reason.
- name: Shuting down services for reconfiguration as required
include: shutdown_services.yml
when: restart_services
- name: Find old registry secrets in Barbican
shell: "{{ item }}"
failed_when: false
with_items:
- "source /etc/platform/openrc; openstack secret list -c 'Secret href' -n k8s-registry-secret -f value"
- "source /etc/platform/openrc; openstack secret list -c 'Secret href' -n gcr-registry-secret -f value"
- "source /etc/platform/openrc; openstack secret list -c 'Secret href' -n quay-registry-secret -f value"
- "source /etc/platform/openrc; openstack secret list -c 'Secret href' -n docker-registry-secret -f value"
- "source /etc/platform/openrc; openstack secret list -c 'Secret href' -n elastic-registry-secret -f value"
register: old_barbican_secrets
- name: Delete old registry secrets in Barbican
shell: "source /etc/platform/openrc; openstack secret delete {{ item }}"
with_items:
- "{{ old_barbican_secrets.results | map(attribute='stdout_lines') | flatten }}"
# need to do this here to get the barbican secret id for sysinv
- block:
- name: Create Barbican secret for k8s registry if credentials exist
shell: "source /etc/platform/openrc; openstack secret store -n k8s-registry-secret
-p 'username:{{ k8s_registry['username'] }} password:{{ k8s_registry['password'] }}' -c 'Secret href' -f value"
register: k8s_registry_secret_output
- set_fact:
k8s_registry_secret: "{{ k8s_registry_secret_output.stdout }}"
when: k8s_registry.username is defined
- block:
- name: Create Barbican secret for gcr registry if credentials exist
shell: "source /etc/platform/openrc; openstack secret store -n gcr-registry-secret
-p 'username:{{ gcr_registry['username'] }} password:{{ gcr_registry['password'] }}' -c 'Secret href' -f value"
register: gcr_registry_secret_output
- set_fact:
gcr_registry_secret: "{{ gcr_registry_secret_output.stdout }}"
when: gcr_registry.username is defined
- block:
- name: Create Barbican secret for quay registry if credentials exist
shell: "source /etc/platform/openrc; openstack secret store -n quay-registry-secret
-p 'username:{{ quay_registry['username'] }} password:{{ quay_registry['password'] }}' -c 'Secret href' -f value"
register: quay_registry_secret_output
- set_fact:
quay_registry_secret: "{{ quay_registry_secret_output.stdout }}"
when: quay_registry.username is defined
- block:
- name: Create Barbican secret for docker registry if credentials exist
shell: "source /etc/platform/openrc; openstack secret store -n docker-registry-secret
-p 'username:{{ docker_registry['username'] }} password:{{ docker_registry['password'] }}'
-c 'Secret href' -f value"
register: docker_registry_secret_output
- set_fact:
docker_registry_secret: "{{ docker_registry_secret_output.stdout }}"
when: docker_registry.username is defined
- block:
- name: Create Barbican secret for elastic registry if credentials exist
shell: "source /etc/platform/openrc; openstack secret store -n elastic-registry-secret
-p 'username:{{ docker_registry['username'] }} password:{{ docker_registry['password'] }}'
-c 'Secret href' -f value"
register: elastic_registry_secret_output
- set_fact:
elastic_registry_secret: "{{ elastic_registry_secret_output.stdout }}"
when: elastic_registry.username is defined
- name: Append config ini file with Barbican secret uuid
lineinfile:
path: "{{ config_permdir + '/' + bootstrap_config_file|basename }}"
line: "{{ item }}"
with_items:
- "K8S_REGISTRY_SECRET={{ k8s_registry_secret | default('none') }}"
- "GCR_REGISTRY_SECRET={{ gcr_registry_secret | default('none') }}"
- "QUAY_REGISTRY_SECRET={{ quay_registry_secret | default('none') }}"
- "DOCKER_REGISTRY_SECRET={{ docker_registry_secret | default('none') }}"
- "ELASTIC_REGISTRY_SECRET={{ elastic_registry_secret | default('none') }}"
- include: update_sysinv_database.yml
when: save_config_to_db
# Update docker and containerd config files and restart docker and containerd
# if docker proxy is configured
- block:
- name: Ensure docker and containerd config directory exist
file:
path: "{{ item }}"
state: directory
owner: root
group: root
mode: 0755
with_items:
- /etc/systemd/system/docker.service.d
- /etc/systemd/system/containerd.service.d
- name: Ensure docker and containerd proxy config exist
copy:
content: ""
dest: "{{ item }}"
force: no
owner: root
group: root
mode: 0644
remote_src: yes
with_items:
- "{{ docker_proxy_conf }}"
- "{{ containerd_proxy_conf }}"
- name: Write header to docker and containerd proxy conf files
lineinfile:
path: "{{ item }}"
line: "[Service]"
with_items:
- "{{ docker_proxy_conf }}"
- "{{ containerd_proxy_conf }}"
- name: Add http proxy URL to docker and containerd proxy conf files
lineinfile:
path: "{{ item }}"
line: "Environment='HTTP_PROXY={{ docker_http_proxy }}'"
with_items:
- "{{ docker_proxy_conf }}"
- "{{ containerd_proxy_conf }}"
when: docker_http_proxy != 'undef'
- name: Add https proxy URL to docker and containerd proxy conf files
lineinfile:
path: "{{ item }}"
line: "Environment='HTTPS_PROXY={{ docker_https_proxy }}'"
with_items:
- "{{ docker_proxy_conf }}"
- "{{ containerd_proxy_conf }}"
when: docker_https_proxy != 'undef'
- name: Add no proxy address list to docker and containerd proxy config files
lineinfile:
path: "{{ item }}"
line: "Environment='NO_PROXY={{ docker_no_proxy_combined | join(',') }}'"
with_items:
- "{{ docker_proxy_conf }}"
- "{{ containerd_proxy_conf }}"
- name: Restart Docker and containerd
systemd:
state: restarted
daemon_reload: yes
name: "{{ item }}"
with_items:
- docker
- containerd
when: use_docker_proxy
# Install certificate if SSL CA certifcate is configured
- block:
- name: Copy ssl_ca certificate
copy:
src: "{{ ssl_ca_cert }}"
dest: "{{ temp_ssl_ca }}"
- name: Remove ssl_ca complete flag
file:
path: "{{ ssl_ca_complete_flag }}"
state: absent
- name: Add ssl_ca certificate
shell: source /etc/platform/openrc; system certificate-install -m ssl_ca {{ temp_ssl_ca }}
- name: Wait for certificate install
wait_for:
path: "{{ ssl_ca_complete_flag }}"
state: present
timeout: 360
msg: Timeout waiting for ssl_ca certificate install
- name: Cleanup temporary certificate
file:
path: "{{ temp_ssl_ca }}"
state: absent
when: ssl_ca_cert is defined and ssl_ca_cert
# PXE boot files
- name: Set pxeboot files source if address allocation is dynamic
set_fact:
pxe_default: pxelinux.cfg.files/default
pxe_grub_cfg: pxelinux.cfg.files/grub.cfg
when: management_dynamic_address_allocation
- name: Set pxeboot files source if address allocation is static
set_fact:
pxe_default: pxelinux.cfg.files/default.static
pxe_grub_cfg: pxelinux.cfg.files/grub.cfg.static
when: not management_dynamic_address_allocation
- name: Set pxeboot files symlinks
file:
src: "/pxeboot/{{ item.src }}"
dest: "/pxeboot/{{ item.dest }}"
state: link
force: yes
with_items:
- { src: '{{ pxe_default }}', dest: 'pxelinux.cfg/default' }
- { src: '{{ pxe_grub_cfg }}', dest: 'pxelinux.cfg/grub.cfg' }
- name: Update the management_interface in platform.conf
lineinfile:
path: /etc/platform/platform.conf
regexp: "management_interface"
line: "management_interface=lo"
- name: Add new entries to platform.conf
lineinfile:
path: /etc/platform/platform.conf
line: "{{ item }}"
with_items:
- region_config={{ region_config }}
- sw_version={{ software_version }}
- vswitch_type=none
- name: Ensure distributed cloud role is removed from platform.conf
lineinfile:
path: /etc/platform/platform.conf
regexp: '^distributed_cloud_role'
state: absent
when: distributed_cloud_role == 'none'
- name: Add distributed cloud role to platform.conf
lineinfile:
path: /etc/platform/platform.conf
line: distributed_cloud_role={{ distributed_cloud_role }}
when: distributed_cloud_role != 'none'
- name: Update resolv.conf with list of dns servers
lineinfile:
path: /etc/resolv.conf
line: "nameserver {{ item }}"
with_items: "{{ dns_servers }}"
- name: Remove localhost address from resolv.conf
lineinfile:
path: /etc/resolv.conf
regex: "nameserver ::1"
state: absent
- name: Invalidate name service caching server
command: nscd -i hosts
View Git Blame Copy Permalink