gnuthought / ansible-role-openshift-provision

Provision OpenShift resources with Ansible
21 stars 19 forks source link

openshift-provision

An Ansible role for provisioning resources within OpenShift clusters.

This role provides comprehensive OpenShift cluster resource provisioning using a declarative variable structure with multi-level resource definition lookups and template automation.

The openshift-provision ansible role may be used directly or using a containerized deployment pattern provided by the openshift-provision-manager.

Project Goals

Management of OpenShift resources should be:

Contact

Whether looking to contribute or just looking for some info, you can find us on ...

Slack: https://gnuthought.slack.com/messages/openshift-provision/

Trello: https://trello.com/b/icRRuDUS/openshift-provision

Installation

ansible-galaxy install https://github.com/gnuthought/ansible-role-openshift-provision/archive/master.tar.gz#/openshift_provision

Requirements

OpenShift 3.4, 3.5, 3.7, 3.9, 3.10, 3.11, & 4.0 ansible 2.4+ with Python 2.7+

A host with the oc command to run from.

Usage

The openshift_provision role may be run from any host with the oc command and access to the cluster with appropriate privileges to provision the resources specified in the calling playbook. For provisioning base cluster configuration it is recommended to run openshift_provision from a master node immediately following OpenShift cluster installation. For provisioning application projects and resources it is recommended to use another host, authenticating with a service account token. Username with password login is supported with the openshift_login module. The host processing the openshift_provision role must have the oc command and the Python JMESPath module for supporting the json_query ansible filter.

If this role is called with a openshift_resource_definition file variable, it will read variables from the file specified.

Role Variables

openshift_provision or openshift_clusters[*]

Top level definition of how to manage a cluster:

openshift_provision.cluster_resources or openshift_clusters[*].cluster_resources

Cluster resources are the first items processed in provisioning. This is a list of OpenShift resource definitions that are created/updated using the oc command. The default action is oc apply, but may be overridden by setting "metadata.annotations.openshift-provision/action" on the resource. Values for action may be:

Besides the field action all other fields follow OpenShift standards. All resources must define metadata.name.

cluster_role_bindings

List of cluster role assignments. Each entry is a dictionary containing:

groups

List of OpenShift groups to manage

process_templates

List of templates to process to manage resources for the cluster. The result items list from the processed template is then parsed and each resource in that list is processed by openshift_provision.

projects

projects[*].process_templates

List of templates to process to manage resources within project. The result items list from the processed template is then parsed and each resource in that list is processed by openshift_provision.

projects[*].resources

This is a list of OpenShift resource definitions that are created/updated in a project using the oc command. The default action is oc apply, but may be overridden by setting the annotation "openshift-provision/action" within the resource. Values for action are the same as described above for cluster_resources. The annotation "openshift-provision/patch-type" may be used with the "patch" action.

projects[*].role_bindings

List of project role assignments. Each entry is a dictionary containing:

helm_charts

Helm charts are supported as a means of templating resources into the cluster. Helm support is provided without tiller or helm lifecycle hooks. Only fetching and templating helm charts is supported. If full helm lifecycle management is required then openshift-provision may be leveraged to deploy tiller into the cluster.

The value of helm_charts should be a list of dictionaries where each dictionary contains:

resources

List of OpenShift project resources to create. Declaration is the same as specified above for projects[*].resources with the addition that each entry here must specify metadata.namespace to specify the target project for the resource.

Example Playbook with Provisioning by Role Variables

- hosts: masters[0]
  roles:
     - role: openshift-logging-elasticsearch-hostmount
       resource_definition: ocp-resouces/app.yml

Example resources file:

openshift_provision:
  connection:
    server: https://openshift-master.libvirt:8443
    token: abcdefghijklmnopqrstuvwxyz0123456798...

  cluster_resources:
  - apiVersion: v1
    kind: ClusterRole
    metadata:
      creationTimestamp: null
      name: network-joiner
    rules:
    - apiGroups:
      - network.openshift.io
      - ""
      attributeRestrictions: null
      resources:
      - netnamespaces
      verbs:
      - create
      - delete
      - get
      - list
      - update
    - apiGroups:
      - ""
      attributeRestrictions: null
      resources:
      - namespaces
      - projects
      verbs:
      - get
      - list
    - apiGroups:
      - network.openshift.io
      - ""
      attributeRestrictions: null
      resources:
      - clusternetworks
      verbs:
      - get
  - apiVersion: v1
    kind: ClusterResourceQuota
    metadata:
      creationTimestamp: null
      name: serviceaccount-app-jenkins
    spec:
      quota:
        hard:
          limits.cpu: "10"
          limits.memory: 20Gi
          requests.cpu: "5"
          requests.memory: 20Gi
      selector:
        annotations:
          openshift.io/requester: system:serviceaccount:app-dev:jenkins
        labels: null
  - apiVersion: v1
    kind: PersistentVolume
    metadata:
      creationTimestamp: null
      labels:
        foo: bar
      name: nfs-foo
    spec:
      access_modes:
      - ReadWriteMany
      capacity:
        storage: 10Gi
      nfs:
        path: /export/foo
        server: nfsserver.example.com
      persistentVolumeReclaimPolicy: Retain

  cluster_role_bindings:
  - role: self-provisioner
    users:
    - system:serviceaccount:app-dev:jenkins
  - role: network-joiner
    users:
    - system:serviceaccount:app-dev:jenkins
    groups:
    - app-admin
    remove_unlisted: true

  groups:
  - name: app-admin
    remove_unlisted_members: true
    members:
    - alice
    - bob

  projects:
  - name: app-dev
    description: Application Description
    display_name: Application Name
    labels:
      application: appname
    node_selector: region=app

    process_templates:
    - name: httpd-example
      namespace: openshift
      parameters:
        SOURCE_REPOSITORY_URL: https://github.com/openshift/httpd-ex.git

    resources:
    - apiVersion: v1
      kind: ResourceQuota
      metadata:
        name: compute
      spec:
        hard:
          requests.cpu: "10"
          requests.memory: "50Gi"
          limits.cpu: "20"
          limits.memory: "50Gi"
    - apiVersion: v1
      kind: LimitRange
      metadata:
        name: compute
      spec:
        limits:
        - type: Pod
          min:
            cpu: 50m
            memory: 4Mi
          max:
            cpu: "2"
            memory: 5Gi
        - type: Container
          min:
            cpu: 50m
            memory: 4Mi
          max:
            cpu: "2"
            memory: 5Gi
          default:
            cpu: "1"
            memory: 1Gi
          defaultRequest:
            cpu: 200m
            memory: 1Gi

    role_bindings:
    - role: admin
      groups: app-admin
      remove_unlisted: true
    - role: edit
      users:
      - system:serviceaccount:app-dev:jenkins
      remove_unlisted_users: true
    - role: view
      groups:
      - app-developer

    service_accounts:
    - jenkins

Example Playbook with Provisioning with openshift_provision Module

- hosts: localhost
  connection: local
  gather_facts: no
  vars:
    openshift_connection:
      server: "{{ openshift_connection_server }}"
      token: "{{ openshift_connection_token }}"
  roles:
  - role: openshift-logging-elasticsearch-hostmount

  tasks:
  - name: Provision BuildConfig
    openshift_provision:
      connection: "{{ openshift_connection }}"
      namespace: example-project
      resource:
        apiVersion: v1
        kind: BuildConfig
        metadata:
          name: test-buildconfig
        spec:
          nodeSelector: null
          output:
            to:
              kind: ImageStreamTag
              name: testbuild:latest
          postCommit: {}
          resources: {}
          runPolicy: Serial
          source:
            git:
              uri: https://nosuch.example.com/blah.git
            type: Git
          strategy:
            sourceStrategy:
              from:
                kind: ImageStreamTag
                name: httpd:2.4
                namespace: openshift
            type: Source
          triggers: []

Example with Provisioning with openshift_provision Module and Login

- hosts: localhost
  connection: local
  gather_facts: no
  vars:
    openshift_connection:
      server: "{{ openshift_connection_server }}"
      token: "{{ openshift_connection_token }}"
  roles:
  - role: openshift-logging-elasticsearch-hostmount

  tasks:
  - name: Login to OpenShift Cluster
    openshift_login:
      username: username
      password: password
      server: https://openshift-master.libvirt
      insecure_skip_tls_verify: "true"
    register: openshift_login

  - name: Provision Resource
    openshift_provision:
      connection: "{{ openshift_login.session }}"
      resource:
        apiVersion: v1
        kind: PersistentVolumeClaim
        metadata:
          name: test-persistentvolumeclaim
          labels:
            testlabel: bar
        spec:
          accessModes:
          - ReadWriteOnce
          resources:
            requests:
              storage: 1Gi

License

BSD

Author Information

Johnathan Kupferer (jkupfere@redhat.com)