Couple of ansible roles to configure serveral components for a fresh install of an openshift cluster.
|
Important
|
None of these role are written to be used blindly. They are provided as a POC/minimum viable option to get you kickstarted without having to put a ton of effort to figure out exactly what all needs to be done. |
A lot of assumptions are made. So please walk through the roles first, before attempting to run them.
REQUIREMENTS:
- python3 - python modules for ansible: openshift kubernetes - access to the openshift API with a cluster-admin account
|
Note
|
if access to download python pip packages is blocked uncompress file k8s-ocp-deps.tar.gz in the home dir of the user running these plays |
tar xzvf k8s-ocp-deps.tar.gz ~/
-
Prepare the bastion node (ocp4 clients, httpd)
ansible-playbook roles/prepare-bastion/apply/main.yaml
-
Prepare install-config, and manifests, ignition files
ansible-playbook roles/prepare-install/apply/main.yaml --vault-password-file .vault_secret
Below are the list of ansible roles that are available. Do checkout the individual role’s documenation for more information on what they do.
roles/ ├── api-tls-cert ├── cluster-monitoring ├── cluster-logging ├── etcd-backup ├── image-registry ├── ingress-tls-cert ├── ldap-group-sync ├── ldap-oauth ├── project-template ├── self-provisioner └── setup-infra
-
Authenticate with oc client to cluster API This ansible role requires that you are have an authenticated kubectl/oc session which has sufficient previlegges to create namespaces, and install operators.
oc login -u <cluster-admin-user> https://api.yourdomain.com
|
Warning
|
Make sure you are in the ansible directory of this repo before you these playbooks |
git clone https://THIS_REPO cd THIS_REPO
-
Convert worker nodes to infra
ansible-playbook roles/setup-infra/apply/main.yaml
-
Update infra TLS certificate and Key and move pods to infra nodes
ansible-playbook roles/ingress-tls-cert/apply/main.yaml --vault-password-file .vault_secret
-
Apply default project request template
ansible-playbook roles/project-template/apply/main.yaml
-
Activate, Update Image Registry and move pods to infra nodes
ansible-playbook roles/image-registry/apply/main.yaml
-
Move cluster monitoring resources to infra nodes
ansible-playbook roles/cluster-monitoring/apply/main.yaml
-
Setup EFK stack
ansible-playbook roles/cluster-logging/apply/main.yaml
-
Integrate LDAP authentication
ansible-playbook roles/ldap-oauth/apply/main.yaml --vault-password-file .vault_secret
-
Integrate LDAP group synchronization
ansible-playbook roles/ldap-group-sync/apply/main.yaml --vault-password-file .vault_secret
-
Remove Self Provisioners Rolebinding
ansible-playbook roles/self-provisioner/apply/main.yaml
-
Update API TLS certificate and enable etcd encryption
ansible-playbook roles/api-tls-cert/apply/main.yaml --vault-password-file .vault_secret
-
Assign cluster roles to ldap groups and remove kubeadmin
ansible-playbook roles/cluster-roles/apply/main.yaml
-
Setup ETCD backups
ansible-playbook setup-etcd-backup.yaml
|
Note
|
if you want to perform an etcd backup run: ansible-playbook roles/etcd-backups/apply/main.yaml |
Run All base roles!
ansible-playbook day2-common.yaml --vault-password-file .vault_secret ansible-playbook setup-etcd-backup.yaml
Override variables for a role or run all
ansible-playbook roles/ROLE_NAME/apply/main.yaml or ansible-playbook day2-common.yaml --vault-password-file .vault_secret
|
Important
|
After running the playbook 12 (cluster-roles), you need to login with your LDAP creds perform the following steps to clean old references to kubeadmin and old api certs |
rm -rf ~/.kube unset KUBECONFIG oc login https://api.REPLACE-ENV.example.com:6443 -u YOUR_USER