Skip to content

Commit

Permalink
add ocne vlan deployment
Browse files Browse the repository at this point in the history
  • Loading branch information
@bgraef
bgraef committed Jul 9, 2024
1 parent 94573c1 commit 7dc4a62
Show file tree
Hide file tree
Showing 3 changed files with 365 additions and 2 deletions.
1 change: 1 addition & 0 deletions ocne/default_vars.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ debug_enabled: false
ocne_type: quick
use_ocne_full: false
use_lb: false
use_int_lb: false
oci_ccm_bash: false
use_oci_ccm: false
use_istio: false
Expand Down
363 changes: 363 additions & 0 deletions ocne/deploy_ocne_vlan.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,363 @@
---
# Copyright (c) 2024 Oracle and/or its affiliates.
# This software is made available to you under the terms of the Universal Permissive License (UPL), Version 1.0.
# The Universal Permissive License (UPL), Version 1.0 (see COPYING or https://oss.oracle.com/licenses/upl)
# See LICENSE.TXT for details.

- name: OCNE OS pre-installation steps
hosts: operator,controlplane,worker
become: true
vars_files:
- default_vars.yml
- oci_vars.yml

tasks:

# SELinux for iptables
# https://bugzilla.redhat.com/show_bug.cgi?id=2008097

- name: Write cil selinux policy file
ansible.builtin.shell: |
echo '(allow iptables_t cgroup_t (dir (ioctl)))' > /home/{{ username }}/local_iptables.cil
register: result
changed_when: result.rc == 0

- name: Add selinux module
ansible.builtin.shell: |
semodule -i /home/{{ username }}/local_iptables.cil
register: result
changed_when: result.rc == 0

- name: Setup olcne ol8 repos
ansible.builtin.include_tasks: ol8_repo_config.yml
when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '8'

- name: Setup olcne ol9 repos
ansible.builtin.include_tasks: ol9_repo_config.yml
when: ansible_distribution == 'OracleLinux' and ansible_distribution_major_version == '9'

- name: Install chrony
ansible.builtin.dnf:
name: chrony
state: present

- name: Enable chrony service
ansible.builtin.systemd_service:
name: chronyd
state: started
enabled: true

- name: Disable swap
ansible.builtin.shell: |
swapoff -a
register: disable_swap
changed_when: disable_swap.rc == 0

- name: Disable swap in fstab
ansible.builtin.replace:
path: /etc/fstab
regexp: '^([^#].*?\sswap\s+sw\s+.*)$'
replace: '# \1'

- name: OCNE installation steps
hosts: operator
become: true
vars_files:
- default_vars.yml
- oci_vars.yml

vars:
operator_nodes: "{{ groups['operator'] | map('extract', hostvars, ['ansible_ens5', 'ipv4', 'address']) | join(',') }}"
control_nodes: "{{ groups['controlplane'] | map('extract', hostvars, ['ansible_ens5', 'ipv4', 'address']) | join(',') }}"
worker_nodes: "{{ groups['worker'] | map('extract', hostvars, ['ansible_ens5', 'ipv4', 'address']) | join(',') }}"
all_nodes: "{{ operator_nodes + ',' + control_nodes + ',' + worker_nodes }}"

tasks:

- name: Print OCI compartment_ocid
ansible.builtin.debug:
msg: OCI compartment OCID is {{ my_compartment_id }}
when: debug_enabled

- name: Print OCI vcn_ocid
ansible.builtin.debug:
msg: OCI vcn OCID is {{ my_vcn_id }}
when: debug_enabled

- name: Print OCI lb_subnet_ocid
ansible.builtin.debug:
msg: OCI lb_subnet OCID is {{ my_subnet_id }}
when: debug_enabled

- name: Print vcn subnet_domain_name
ansible.builtin.debug:
msg: OCI Subnet Domain Name is {{ my_subnet_domain_name }}
when:
- debug_enabled

- name: Print string of all operator nodes comma separated
ansible.builtin.debug:
msg: "{{ operator_nodes }}"
when:
- debug_enabled

- name: Print string of all control plane nodes comma separated
ansible.builtin.debug:
msg: "{{ control_nodes }}"
when:
- debug_enabled

- name: Print string of all worker nodes comma separated
ansible.builtin.debug:
msg: "{{ worker_nodes }}"
when:
- debug_enabled

- name: Print string of all nodes comma separated
ansible.builtin.debug:
msg: "{{ all_nodes }}"
when:
- debug_enabled

- name: Add compartment variable to .bashrc
ansible.builtin.blockinfile:
dest: /home/oracle/.bashrc
block: |
export COMPARTMENT_OCID={{ my_compartment_id }}
export LC_ALL=C.UTF-8
export LANG=C.UTF-8
insertafter: EOF
owner: "{{ username }}"

- name: Install oci-cli on ol8
ansible.builtin.dnf:
name: ['python36-oci-cli', 'jq']
enablerepo: ol8_developer
state: present
when:
- ansible_facts['distribution'] == "OracleLinux"
- ansible_facts['distribution_major_version'] == "8"

- name: Install oci-cli on ol9
ansible.builtin.dnf:
name: ['python39-oci-cli', 'jq']
state: present
when:
- ansible_facts['distribution'] == "OracleLinux"
- ansible_facts['distribution_major_version'] == "9"

- name: Add operator firewall rules
ansible.posix.firewalld:
port: 8091/tcp
permanent: true
state: enabled
immediate: true

- name: Add control plane firewall rules
ansible.posix.firewalld:
port: "{{ item[1] }}"
permanent: true
state: enabled
immediate: true
delegate_to: "{{ item[0] }}"
loop: "{{ groups['controlplane'] | product(['2379/tcp', '2380/tcp', '6443/tcp', '8090/tcp', '8472/udp', '10250/tcp', '10255/tcp', '10251/tcp', '10252/tcp']) | list }}"

- name: Add firewall rules for internal lb
when: use_int_lb
block:
- name: Add internal lb firewall rule
ansible.posix.firewalld:
port: "{{ item }}"
permanent: true
state: enabled
immediate: true
with_items:
- 6444/tcp

- name: Add vrrp firewall rule
ansible.builtin.shell: |
firewall-cmd --add-protocol=vrrp --zone=public --permanent
firewall-cmd --reload
register: vrrp_firewall
changed_when: vrrp_firewall.rc == 0

- name: Add worker firewall rules
ansible.posix.firewalld:
port: "{{ item[1] }}"
permanent: true
state: enabled
immediate: true
delegate_to: "{{ item[0] }}"
loop: "{{ groups['worker'] | product(['8090/tcp', '10250/tcp', '10255/tcp', '8472/udp']) | list }}"

- name: Add cni0 firewall rule
ansible.posix.firewalld:
zone: trusted
interface: cni0
permanent: true
state: enabled
immediate: true
delegate_to: "{{ item }}"
loop: "{{ (groups['controlplane'] + groups['worker']) }}"

- name: Load br_netfilter module
community.general.modprobe:
name: br_netfilter
state: present
delegate_to: "{{ item }}"
loop: "{{ (groups['controlplane'] + groups['worker']) }}"

- name: Ensure br_netfilter module loads on boot
ansible.builtin.shell: |
echo "br_netfilter" > /etc/modules-load.d/br_netfilter.conf
delegate_to: "{{ item }}"
loop: "{{ (groups['controlplane'] + groups['worker']) }}"
register: load_netfilter
changed_when: load_netfilter.rc == 0

- name: Disable docker and containerd services
ansible.builtin.systemd_service:
name: "{{ item[1] }}"
state: stopped
enabled: false
when: ansible_facts.services['docker.service'] is defined or ansible_facts.servcices['containerd.service'] is defined
delegate_to: "{{ item[0] }}"
loop: "{{ (groups['controlplane'] + groups['worker']) | product(['docker.service', 'containerd.service']) | list }}"

- name: Install olcne packages on operator
ansible.builtin.dnf:
name:
- olcnectl
- olcne-api-server
- olcne-utils
state: present

- name: Install olcne packages on control plane and worker
ansible.builtin.dnf:
name:
- olcne-utils
- olcne-agent
state: present
delegate_to: "{{ item }}"
loop: "{{ (groups['controlplane'] + groups['worker']) }}"

- name: Check if OCNE provisioned
ansible.builtin.stat:
path: ~/.ocne-provisioned
become: true
become_user: "{{ username }}"
register: ocne_provision

- name: Enable olcne api-server and agent service
ansible.builtin.systemd_service:
name: olcne-api-server
state: stopped
enabled: true
when: not ocne_provision.stat.exists

- name: Enable olcne api-server and agent service
ansible.builtin.systemd_service:
name: olcne-agent
state: stopped
enabled: true
when: not ocne_provision.stat.exists
delegate_to: "{{ item }}"
loop: "{{ (groups['controlplane'] + groups['worker']) }}"

- name: Add user to olcne group
ansible.builtin.user:
name: "{{ username }}"
groups: olcne
append: true

- name: Reset ssh connection to allow user changes to affect 'current login user'
ansible.builtin.meta: reset_connection

- name: Check if OCNE provisioned
ansible.builtin.stat:
path: ~/.ocne-provisioned
become: true
become_user: "{{ username }}"
register: ocne_provision

- name: Create Certificates for Kubernetes Nodes
ansible.builtin.shell: |
olcnectl certificates distribute --cert-dir ~/certificates/ --nodes {{ all_nodes }}
become: true
become_user: "{{ username }}"
when: not ocne_provision.stat.exists
register: create_certs
changed_when: create_certs.rc == 0

- name: Create Certificates for the Platform CLI
ansible.builtin.shell: |
olcnectl certificates generate --nodes {{ operator_nodes }},127.0.0.1 \
--cert-dir ~/.olcne/certificates/{{ operator_nodes }}:8091/ \
--byo-ca-cert ~/certificates/ca/ca.cert \
--byo-ca-key ~/certificates/ca/ca.key \
--one-cert
become: true
become_user: "{{ username }}"
when: not ocne_provision.stat.exists
register: create_certs
changed_when: create_certs.rc == 0

- name: Copy CA Certificate for the Platform CLI
ansible.builtin.copy:
src: ~/certificates/ca/ca.cert
dest: ~/.olcne/certificates/ocne-operator:8091/ca.cert
remote_src: true
mode: "0644"
become: true
become_user: "{{ username }}"
when: not ocne_provision.stat.exists

# - name: Workaround for permissions on certificate files due to Ansible
# ansible.builtin.file:
# path: '/etc/olcne/certificates/{{ item }}.cert'
# mode: '0640'
# loop:
# - node
# - ca
# when: not ocne_provision.stat.exists

- name: Start OLCNE API Server with Certificate
ansible.builtin.shell: |
/etc/olcne/bootstrap-olcne.sh --secret-manager-type file --olcne-component api-server
when: not ocne_provision.stat.exists
register: start_api_server
changed_when: start_api_server.rc == 0

- name: Start OLCNE Agent with the Certificates
become: true
ansible.builtin.shell: |
/etc/olcne/bootstrap-olcne.sh --secret-manager-type file --olcne-component agent
delegate_to: "{{ item }}"
loop: "{{ ((range(groups['controlplane'] | length - empty_cp_nodes | int) | map('extract', groups['controlplane']) | list) + (range(groups['worker'] | length - empty_wrk_nodes | int) | map('extract', groups['worker']) | list)) }}"
when: not ocne_provision.stat.exists
register: start_agent
changed_when: start_agent.rc == 0

- name: Create Certificates for ExternalIPs service
ansible.builtin.shell: |
olcnectl certificates generate \
--nodes externalip-validation-webhook-service.externalip-validation-system.svc,externalip-validation-webhook-service.externalip-validation-system.svc.cluster.local \
--cert-dir /home/{{ username }}/certificates/restrict_external_ip/ \
--byo-ca-cert /home/{{ username }}/certificates/ca/ca.cert \
--byo-ca-key /home/{{ username }}/certificates/ca/ca.key \
--one-cert
become: true
become_user: "{{ username }}"
when: not ocne_provision.stat.exists
register: create_ext_certs
changed_when: create_ext_certs.rc == 0

- name: Copy CA Certificate for the ExternalIP service
ansible.builtin.copy:
src: ~/certificates/ca/ca.cert
dest: ~/certificates/restrict_external_ip/ca.cert
remote_src: true
mode: "0644"
become: true
become_user: "{{ username }}"
when: not ocne_provision.stat.exists
3 changes: 1 addition & 2 deletions ocne/host_setup.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -125,8 +125,7 @@
{{ hostvars[item].ansible_hostname }},\
{{ hostvars[item].ansible_default_ipv4.address }},\
{{ hostvars[item].ansible_hostname + '.' + my_subnet_domain_name }} >> ~/.ssh/known_hosts
with_items:
- "{{ groups['all'] }}"
loop: "{{ groups['all'] | flatten(levels=1) }}"
become: true
become_user: "{{ username }}"
register: result
Expand Down

0 comments on commit 7dc4a62

Please sign in to comment.