Initial Push of Azure Ansible Ref Arch Tempaltes

[glennswest]

Significant Changes:

1. Change ose_pv_create.sh to be transparently encoded in store.sh
2. Removed Centos Image selection - Origin script did not support centos
3. Fixed external reference to ssh config and made it internal
4. Fixed spelling and branding issues
5. Created automated script to fix pathing issues - Should reduce pathing issues on pull
6. Added additional attribution.

Architecture

1. Each VM type has qty 1 ARM (Azure Resource Manager) Template and qty 1 bash script,
   all other scripts, playbooks etc are created within the 1 script. Part of this is based on the way
   Azure Linux Extensions work, and the rest is done for transparency.

[openshift-bot]

Can one of the admins verify this patch?
I understand the following comments:

• bot, add author to whitelist
• bot, test pull request
• bot, test pull request once

[openshift-bot]

Can one of the admins verify this patch?

[openshift-bot]

Can one of the admins verify this patch?
I understand the following comments:

• bot, add author to whitelist
• bot, test pull request
• bot, test pull request once

[cooktheryan]

Do you want to try to migrate to the common validation playbooks here? Less work to maintain and closer to the ansible migration

[glennswest]

not at this point, as I want to tech freeze and get doc finished. Then can add lots of value I have already got hooks for 3.5 release.

[cooktheryan]

Should we ship 7.3 due to the requirements for OpenShift 3.4

[cooktheryan]

If worried about ocp 3.3 on rhel we shipped it about a month ago on aws with no issues

[glennswest]

Not there yet. This is currently 3.3. So when 3.4 comes, so will only change at becomes available. So not changable till then.

[glennswest]

ok, 7.3 is available will change.

[cooktheryan]

Probably just a small NIT but maybe change the var to RHSM rather than RHN. It should make retro fitting to common plays easier.

[glennswest]

this is actually a variable between ARM template and the bash template. Has no material effect.

[themurph]

You are correct that the prefixing your credential variables with RHN has no material effect in this case, however, the reasoning behind @cooktheryan's Agile based suggestion of standardizing the credential variables by using the prefix RHSM over RHN, will go a long way in insuring that future refactoring efforts will be less painful. I'm certain that @cooktheryan wasn't trying to single you out in this comment, the avoidance of creating technical debt right from the start is very relevant and needs all of our attention. Standardizing these common variables is something we, as a team, all need to work together on. We could tack this on to #117 or create a new issue, but either way, doing the work up front will pay dividends in the future. /cc @dav1x @markllama @scollier

[cooktheryan]

+1 since the vmware and gce plays all used the same var names it has made #126 that much easier. The common vars also allowed for me to use all the same plays regardless of provider which is our end goal in getting this work productized.

[cooktheryan]

Will you be proxying access to the cockpit UI through the bastion?

[glennswest]

Yes.

[cooktheryan]

Have you tested failing the mail step? The reason why I ask is that it would be a bummer if the installation hung just due to an email. Also, is the email portion required or optional? Could it be configured to be optional if it is currently required?

[glennswest]

Yes. Many times. It runs fine without the mail even being there. (In early I faced that quite a few times, so its safe)

[cooktheryan]

Might be worth adding this in as well
DATA_SIZE=95%VG
EXTRA_DOCKER_STORAGE_OPTIONS="--storage-opt dm.basesize=3G"

The extra storage options will help with quota and I can't remember right. Also, Im not sure how much space of the vg that is created is used. It might be worth testing or providing a value.

[glennswest]

Will remove docker support from bastion.

[cooktheryan]

Will you need docker on the bastion?

[glennswest]

There is support there for it, but at the moment no.

[glennswest]

will remove docker support from bastion.

[cooktheryan]

I wouldn't do HTPasswd esp if we are multi-master. You should be able to borrow gmail, github, or ldap creds from one of the completed archs

[glennswest]

Actually plan is HTPASSWD is "emergency login", Ive done the work for keycloak already, and will be the auth solution. This has been the strategy since day one. With keycloak everything can be integrated. I've done initial testing with it, Im only missing the auto setup of the providers.

[cooktheryan]

@detiber I think you had a comment about this before but i can't remember if there was a resolution

[glennswest]

I did test this, and everything appears to be working. Did read thru the docs, and far as I can tell, everything is functional. So its technical risk at this port to change it.

[cooktheryan]

are these hard coded domains correct?

[glennswest]

Yes, and working. And mandated via azure. Supports multiple clusters, driven by resource group.

[cooktheryan]

Is there a play that sets the domain for a customers domain?

[glennswest]

First, we do give them a change to specify one within the Azure naming conventions. Then its full auto. If they want a totally separate DNS server or domain outside, they can manually add it.

[cooktheryan]

You should be able to scale router and registry here based off of the amount of infra nodes you have

[glennswest]

Can consider in the future, as I need to look has to get this to happen.

[cooktheryan]

Should probably provide a default node selector

[cooktheryan]

Im not sure if region is the best naming for the labels. I think once we move to multi-region or more federated deployments region may be used to show the location of the nodes geographically. Most of the providers used role rather than region. As for the node label rather than primary we used app. Completely optional on the primary vs app but keeps the arks rather in sync.

[glennswest]

can change the nodes to "app" if you think thats sensible. The above is based on documentation, so which is better, stick to doc, or copy other providers?

[cooktheryan]

I believe in the previous PR @detiber had suggested serial during the registration process. If not. This should probably be in some sort of serial format just to prevent a herd trying to register all at once.

[glennswest]

actually the subscription with retry that I've implemented is solid, with large number of tests, that no matter what I'd get failures till I did the retry logic. With the retry logic its very solid and works every time. So going serial and without the retries would signficantly increase failures and "bad" days where it just didnts work.

Also there are issues in subscribe ansible module that are new in ansible 2.1

[themurph]

Glenn, can you point to or create a BZ for this issue. There are hundreds of people who rely on the official "Subscription Manager" module, so if you have a reproducible bug, make sure to at least report it or even better, submit a patch.

[cooktheryan]

Rather than using shell for all of the repos I would suggest using the already used playbooks/roles/rhsm-repos/tasks/main.yaml

[glennswest]

this was changed due to ansible problems.

[cooktheryan]

Probably not required as this should be taken care of during the install on all hosts except the bastion

[glennswest]

found it useful for checkout and debug, as it was not happening.

[cooktheryan]

I would potentially add in NetworkManager installation and the starting and enabling

[glennswest]

It is installed in all the hosts except bastion.
So is there a requirement on the bastion host?

[cooktheryan]

no it will not be required

[cooktheryan]

Is it possible to cloud init this task?

[glennswest]

Actually potentially could move this into per node scripts, but ansible does seem to do it fine.

[cooktheryan]

Definitely look towards another auth

[cooktheryan]

This may be answered later on but is 22 allowed only from the bastion or 22 allowed from both internal and external to the infra nodes?

[glennswest]

22 only from bastion host.

[cooktheryan]

I dont think you need these packages as the installer should take care of docker and possibly any other items.

[glennswest]

THis is recommended from the doc. https://docs.openshift.com/container-platform/3.3/install_config/install/host_preparation.html

So how do u want to handle?

[cooktheryan]

I believe these packages are only in required for the host performing the installation. If you check out the aws plays we don't actually install those packages.

[cooktheryan]

Id let the installer handle storage setup and the enabling of docker. This may be a good location though to do you mounts

[glennswest]

This is from the documentation, plus the 3G was recommended in a prevous commit.
How to handle the difference?

[cooktheryan]

Maybe it was a bad comment line. I would just remove the step of actually running docker-storage-setup yourself

[cooktheryan]

Could you just re-use the existing ansible items from above here?

[glennswest]

Note the intention of doing it here, was to get the logging host up so it could provide logging before everything is ready. For the moment I'm deleting logging host.

[cooktheryan]

I feel like master 22 access should be limited from the the bastion only

[glennswest]

Funny, it should be the same as infra, will dig and figure out why.

[cooktheryan]

Im not sure how azure handles vips but is it possible to use 443, the console_port variable at install time, and set the vip to use 443 as well? Just to use standard ports I remember how relieved i was to move from 8443 to 443

[cooktheryan]

@glennswest will this be possible to change?

[themurph]

I won't block on this, but please consider standardizing the port for the same reasons as stated above #125 (comment)

[glennswest]

At this point, I've processed the list of suggestions, with the following exceptions:

1. Follow Azure Practice of one customization script per node type - ie embedded scripts.
2. I've left the way the ssmtp package is pulled, as its RedHat best practice to allow updates, the suggested change would hard-code a single version, which is not required technically.
3. Fix some png images that may be done in a better way. (Windows ssh generation).

On the commit on auth: It will be done shortly in keycloak, but is out of scope for this commit.

[themurph]

@glennswest Great job on refactoring, resolving, answering, and pushing out all these requests for changes. Approving and merging.