summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
Diffstat (limited to 'roles')
-rw-r--r--roles/ands_kaas/tasks/file.yml18
-rw-r--r--roles/ands_kaas/templates/0-gfs-volumes.yml.j29
-rw-r--r--roles/ands_kaas/templates/6-kaas-pods.yml.j235
-rw-r--r--roles/ands_openshift/defaults/main.yml3
-rw-r--r--roles/ands_openshift/tasks/security.yml3
-rw-r--r--roles/ands_openshift/tasks/security_resources.yml54
-rw-r--r--roles/ands_openshift/tasks/users_resources.yml14
l---------roles/glusterfs/tasks/data1
-rw-r--r--roles/glusterfs/tasks/db/vols3.yml14
-rw-r--r--roles/openshift_resource/defaults/main.yml3
-rw-r--r--roles/openshift_resource/tasks/patch.yml41
11 files changed, 177 insertions, 18 deletions
diff --git a/roles/ands_kaas/tasks/file.yml b/roles/ands_kaas/tasks/file.yml
index 9a36e74..479ec68 100644
--- a/roles/ands_kaas/tasks/file.yml
+++ b/roles/ands_kaas/tasks/file.yml
@@ -1,9 +1,23 @@
---
+- name: Set group
+ set_fact: group="{{ file.group | default(kaas_project_config.file_group | default(ands_default_file_group)) }}"
+
+- name : Resolve project groups
+ set_fact: group="{{ (kaas_project_config.gids | default(ands_openshift_gids))[group].id }}"
+ when: group in ( kaas_project_config.gids | default(ands_openshift_gids) )
+
+- name: Set owner
+ set_fact: owner="{{ file.owner | default(kaas_project_config.file_owner | default(ands_default_file_owner)) }}"
+
+- name : Resolve project uids
+ set_fact: owner="{{ (kaas_project_config.uids | default(ands_openshift_uids) )[owner].id }}"
+ when: owner in ( kaas_project_config.uids | default(ands_openshift_uids) )
+
- name: "Setting up files in {{ path }}"
file:
path: "{{ path }}"
recurse: "{{ file.recurse | default(true) }}"
mode: "{{ file.mode | default( ((file.state | default('directory')) == 'directory') | ternary('0755', '0644') ) }}"
- owner: "{{ file.owner | default(kaas_project_config.file_owner) | default(kaas_default_file_owner) }}"
- group: "{{ file.group | default(kaas_project_config.file_group) | default(kaas_default_file_group) }}"
+ owner: "{{ owner }}"
+ group: "{{ group }}"
state: "{{ file.state | default('directory') }}"
diff --git a/roles/ands_kaas/templates/0-gfs-volumes.yml.j2 b/roles/ands_kaas/templates/0-gfs-volumes.yml.j2
index a162c8b..8e5842a 100644
--- a/roles/ands_kaas/templates/0-gfs-volumes.yml.j2
+++ b/roles/ands_kaas/templates/0-gfs-volumes.yml.j2
@@ -7,10 +7,11 @@ metadata:
descriptions: "KATRIN Volumes"
objects:
{% for name, vol in (kaas_project_config.volumes | default(kaas_openshift_volumes)).iteritems() %}
+{% set oc_name = vol.name | default(name) | regex_replace('_','-') %}
- apiVersion: v1
kind: PersistentVolume
metadata:
- name: {{ vol.name | default(name) }}
+ name: {{ oc_name }}
spec:
persistentVolumeReclaimPolicy: Retain
glusterfs:
@@ -22,14 +23,14 @@ objects:
capacity:
storage: {{ vol.capacity | default(kaas_default_volume_capacity) }}
claimRef:
- name: {{ vol.name | default(name) }}
+ name: {{ oc_name }}
namespace: {{ kaas_project }}
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
- name: {{ vol.name | default(name) }}
+ name: {{ oc_name }}
spec:
- volumeName: {{ vol.name | default(name) }}
+ volumeName: {{ oc_name }}
accessModes:
- {{ vol.access | default('ReadWriteMany') }}
resources:
diff --git a/roles/ands_kaas/templates/6-kaas-pods.yml.j2 b/roles/ands_kaas/templates/6-kaas-pods.yml.j2
index 479b343..d5418d3 100644
--- a/roles/ands_kaas/templates/6-kaas-pods.yml.j2
+++ b/roles/ands_kaas/templates/6-kaas-pods.yml.j2
@@ -36,7 +36,7 @@ objects:
- apiVersion: v1
kind: Route
metadata:
- name: kaas
+ name: {{ pod.name | default(name) }}
spec:
host: {{ pod.service.host }}
to:
@@ -66,7 +66,7 @@ objects:
- apiVersion: v1
kind: DeploymentConfig
metadata:
- name: kaas
+ name: {{ pod.name | default(name) }}
spec:
replicas: {{ pod.sched.replicas | default(1) }}
selector:
@@ -93,12 +93,33 @@ objects:
{% for img in pod.images %}
{% set imgidx = loop.index %}
{% for vol in img.mappings %}
+ {% set oc_name = vol.name | default(name) | regex_replace('_','-') %}
- name: vol-{{imgidx}}-{{loop.index}}
persistentVolumeClaim:
- claimName: {{ vol.name }}
+ claimName: {{ oc_name }}
{% endfor %}
{% endfor %}
{% endif %}
+ {% if (pod.groups is defined) or (pod.run_as is defined) %}
+ securityContext:
+ {% if (pod.run_as is defined) %}
+ {% if (kaas_project_config.uids | default(kaas_openshift_uids))[pod.run_as] is defined %}
+ - {{ (kaas_project_config.uids | default(kaas_openshift_uids))[pod.run_as].id }}
+ {% else %}
+ - pod.run_as
+ {% endif %}
+ {% endif %}
+ {% if (pod.groups is defined) %}
+ supplementalGroups:
+ {% for group in pod.groups %}
+ {% if (kaas_project_config.gids | default(kaas_openshift_gids))[group] is defined %}
+ - {{ (kaas_project_config.gids | default(kaas_openshift_gids))[group].id }}
+ {% else %}
+ - group
+ {% endif %}
+ {% endfor %}
+ {% endif %}
+ {% endif %}
containers:
{% for img in pod.images %}
{% set imgidx = loop.index %}
@@ -118,10 +139,12 @@ objects:
{% endif %}
{% if img.env is defined %}
env:
- {% for env_name, env_val in img.env.iteritems() %}
+ {% for env_item in img.env %}
+ {% set env_name = env_item.name %}
+ {% set env_val = env_item.value %}
{% set env_parts = (env_val | string).split('@') %}
+ - name: "{{ env_name }}"
{% if env_parts[0] == "secret" %}
- - name: {{ env_name }}
{% set env_sec = (env_parts[1] | string).split('/') %}
valueFrom:
secretKeyRef:
@@ -134,7 +157,7 @@ objects:
name: {{ env_cm[0] }}
key: {{ env_cm[1] }}
{% else %}
- value: {{ env_val }}
+ value: "{{ env_val }}"
{% endif %}
{% endfor %}
{% endif %}
diff --git a/roles/ands_openshift/defaults/main.yml b/roles/ands_openshift/defaults/main.yml
index e473b98..b97b584 100644
--- a/roles/ands_openshift/defaults/main.yml
+++ b/roles/ands_openshift/defaults/main.yml
@@ -1,4 +1,4 @@
-openshift_common_subroles: "{{ [ 'hostnames', 'users', 'storage' ] }}"
+openshift_common_subroles: "{{ [ 'hostnames', 'users', 'security', 'storage' ] }}"
openshift_heketi_subroles: "{{ [ 'ssh', 'heketi' ] }}"
openshift_all_subroles: "{{ ands_configure_heketi | default(False) | ternary(openshift_common_subroles + openshift_heketi_subroles, openshift_common_subroles) }}"
@@ -9,5 +9,6 @@ openshift_namespace: "default"
ssh_template_path: "{{ ands_paths.provision }}/ssh/"
storage_template_path: "{{ ands_paths.provision }}/gfs/"
heketi_template_path: "{{ ands_paths.provision }}/heketi/"
+ands_openshift_patch_path: "{{ ands_paths.provision }}/patch/"
openshift_storage_nodes: "{{ groups.storage_nodes | map('extract', hostvars, 'ands_storage_hostname') | list }}"
diff --git a/roles/ands_openshift/tasks/security.yml b/roles/ands_openshift/tasks/security.yml
new file mode 100644
index 0000000..b1f017b
--- /dev/null
+++ b/roles/ands_openshift/tasks/security.yml
@@ -0,0 +1,3 @@
+- include_tasks: security_resources.yml
+ run_once: true
+ delegate_to: "{{ groups.masters[0] }}"
diff --git a/roles/ands_openshift/tasks/security_resources.yml b/roles/ands_openshift/tasks/security_resources.yml
new file mode 100644
index 0000000..5644723
--- /dev/null
+++ b/roles/ands_openshift/tasks/security_resources.yml
@@ -0,0 +1,54 @@
+---
+- name: Ensure OpenShift patch directory exists
+ file: path="{{ ands_openshift_patch_path }}" state="directory" mode=0644 owner=root group=root
+
+# No spaces in patch, otherwise escaping mess...
+- name: Patch group range in project configuration
+ include_role: name="openshift_resource" tasks_from="patch.yml"
+ vars:
+ project: "{{ prj_item }}"
+ resource: "ns/{{ prj_item }}"
+ patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.supplemental-groups":"{{ands_openshift_gid_ranges[prj_item]}}"}}}'
+ patch_path: "{{ ands_openshift_patch_path }}"
+ with_items: "{{ (ands_openshift_gid_ranges | default({})).keys() }}"
+ loop_control:
+ loop_var: prj_item
+
+- name: Patch uid range in project configuration
+ include_role: name="openshift_resource" tasks_from="patch.yml"
+ vars:
+ project: "{{ prj_item }}"
+ resource: "ns/{{ prj_item }}"
+ patch: '{"metadata":{"annotations":{"openshift.io/sa.scc.uid-range":"{{ands_openshift_uid_ranges[prj_item]}}"}}}'
+ patch_path: "{{ ands_openshift_patch_path }}"
+ with_items: "{{ (ands_openshift_uid_ranges | default({})).keys() }}"
+ loop_control:
+ loop_var: prj_item
+
+- name: Restrict supplementalGroups
+ include_role: name="openshift_resource" tasks_from="patch.yml"
+ vars:
+ project: "{{ prj_item }}"
+ resource: "scc/restricted"
+ modes: "{{ ands_openshift_gid_mode | default({}) }}"
+ mode: "{{ (modes[prj_item] is defined) | ternary(modes[prj_item], modes['ands_default'] | default(false)) }}"
+ patch: '{"supplementalGroups":{"type":"{{mode}}"}}'
+ patch_path: "{{ ands_openshift_patch_path }}"
+ when: mode != false
+ with_items: "{{ (ands_openshift_projects | default({})).keys() }}"
+ loop_control:
+ loop_var: prj_item
+
+- name: Configure runAsUser
+ include_role: name="openshift_resource" tasks_from="patch.yml"
+ vars:
+ project: "{{ prj_item }}"
+ resource: "scc/restricted"
+ modes: "{{ ands_openshift_uid_mode | default({}) }}"
+ mode: "{{ (modes[prj_item] is defined) | ternary(modes[prj_item], modes['ands_default'] | default(false)) }}"
+ patch: '{"runAsUser":{"type":"{{mode}}"}}'
+ patch_path: "{{ ands_openshift_patch_path }}"
+ when: mode != false
+ with_items: "{{ (ands_openshift_projects | default({})).keys() }}"
+ loop_control:
+ loop_var: prj_item
diff --git a/roles/ands_openshift/tasks/users_resources.yml b/roles/ands_openshift/tasks/users_resources.yml
index 35323cb..5bc748c 100644
--- a/roles/ands_openshift/tasks/users_resources.yml
+++ b/roles/ands_openshift/tasks/users_resources.yml
@@ -2,7 +2,9 @@
- name: Configure cluster roles
command: "oc adm policy add-cluster-role-to-user {{ item.key.split('/')[0] }} {{ item.value.replace(' ','').split(',') | join(' ') }}"
with_dict: "{{ ands_openshift_roles }}"
- when: "{{ item.key.split('/') | length == 1 }}"
+ when: key_len == "1"
+ vars:
+ key_len: "{{ item.key.split('/') | length }}"
- name: Get project list
command: "oc get projects -o json"
@@ -20,7 +22,9 @@
- name: Configure per project roles
command: "oc adm policy add-role-to-user -n {{ item.key.split('/')[0] }} {{ item.key.split('/')[1] }} {{ item.value.replace(' ','').split(',') | join(' ') }}"
with_dict: "{{ ands_openshift_roles }}"
- when: "{{ item.key.split('/') | length == 2 }}"
+ when: key_len == "2"
+ vars:
+ key_len: "{{ item.key.split('/') | length }}"
- name: Get user list
command: "oc get users -o json"
@@ -31,10 +35,12 @@
set_fact: removed_users="{{ results.stdout | from_json | json_query('items[*].metadata.name') | difference(ands_openshift_users.keys()) }}"
when: (results | succeeded)
-- name: Create missing projects
+- name: Remove user authentication
command: "oc delete identity htpasswd_auth:{{ item }}"
with_items: "{{ removed_users | default([]) }}"
-- name: Create missing projects
+- name: Remove users
command: "oc delete user {{ item }}"
with_items: "{{ removed_users | default([]) }}"
+
+
diff --git a/roles/glusterfs/tasks/data b/roles/glusterfs/tasks/data
new file mode 120000
index 0000000..31bb52e
--- /dev/null
+++ b/roles/glusterfs/tasks/data
@@ -0,0 +1 @@
+cfg \ No newline at end of file
diff --git a/roles/glusterfs/tasks/db/vols3.yml b/roles/glusterfs/tasks/db/vols3.yml
new file mode 100644
index 0000000..b1beacb
--- /dev/null
+++ b/roles/glusterfs/tasks/db/vols3.yml
@@ -0,0 +1,14 @@
+---
+- name: "Create {{ name }} volume"
+ gluster_volume:
+ state: present
+ name: "{{ name }}"
+ cluster: "{{ domain_servers | join(',') }}"
+ disperses: "3"
+ redundancies: "1"
+ bricks: "{{ glusterfs_bricks_path }}/brick-{{ name }}"
+ transport: "{{ glusterfs_transport }}"
+
+
+- name: "Start {{ name }} volume"
+ gluster_volume: state="started" name="{{ name }}"
diff --git a/roles/openshift_resource/defaults/main.yml b/roles/openshift_resource/defaults/main.yml
index ec44c4f..7994827 100644
--- a/roles/openshift_resource/defaults/main.yml
+++ b/roles/openshift_resource/defaults/main.yml
@@ -1 +1,2 @@
-template_path: "/mnt/provision/templates"
+template_path: "{{ ands_paths.provision }}/templates"
+patch_path: "{{ ands_paths.provision }}/patches" \ No newline at end of file
diff --git a/roles/openshift_resource/tasks/patch.yml b/roles/openshift_resource/tasks/patch.yml
new file mode 100644
index 0000000..e2bbcfa
--- /dev/null
+++ b/roles/openshift_resource/tasks/patch.yml
@@ -0,0 +1,41 @@
+---
+- name: Lookup the specified resource
+ command: "oc get -n '{{project}}' '{{resource}}' -o json"
+ register: orig_result
+ changed_when: 0
+
+- name: Lookup API version of the specified resource
+ command: "oc get -n '{{project}}' '{{resource}}' --template {{'{{' + '.apiVersion' + '}}'}}"
+ register: api_version
+ changed_when: 0
+
+# Fucking ansible is making mess of escaping. Main problem it parses to objects strings starting with '{ ... }', but not with ' { ... }'
+- name: Escaping patch
+ set_fact: xpatch='{{patch | to_json | regex_replace(" ","") | regex_replace("^", " ")}}'
+
+- name: Generate dummy patch {{resource}} in {{project}}
+ command: "oc patch -n '{{project}}' --patch ' {\"apiVersion\": \"{{api_version.stdout}}\"}' --local=true -f - -o json"
+ args:
+ stdin: " {{ orig_result.stdout_lines | join('') }}"
+ register: dummy_result
+ changed_when: 0
+
+- name: Generate test patch {{resource}} in {{project}}
+ command: "oc patch -n '{{project}}' --patch '{{xpatch}}' --local=true -f - -o json"
+ args:
+ stdin: " {{ orig_result.stdout_lines | join('') }}"
+ register: patch_result
+ changed_when: 0
+
+#- debug: msg="{{ dummy_result.stdout }}"
+# when: dummy_result.stdout != patch_result.stdout
+
+#- debug: msg="{{ patch_result.stdout }}"
+# when: dummy_result.stdout != patch_result.stdout
+
+- name: Patch {{resource}} in {{project}}
+ command: "oc patch -n '{{project}}' '{{resource}}' --patch '{{xpatch}}'"
+ register: result
+ changed_when: (result | succeeded)
+ when: dummy_result.stdout != patch_result.stdout
+ \ No newline at end of file