diff --git a/reference-architecture/gce-ansible/README.md b/reference-architecture/gce-ansible/README.md index 3b118876d..240e5d761 100644 --- a/reference-architecture/gce-ansible/README.md +++ b/reference-architecture/gce-ansible/README.md @@ -27,17 +27,3 @@ ansible-playbook -e 'public_hosted_zone=ocp.example.com \ gce_network_name=ocp-network' \ playbooks/openshift-install.yaml ``` - -## Verification and demo application - -To verify the deployment works properly, run the `validation.yaml` playbook. To deploy simple demo application, use the `demo.yaml` playbook. - -``` -ansible-playbook -e 'openshift_master_cluster_public_hostname=\ -openshift-master.ocp.example.com \ - openshift_master_cluster_hostname=\ -internal-openshift-master.ocp.example.com \ - wildcard_zone=apps.ocp.example.com \ - console_port=443' \ - playbooks/validation.yaml -``` diff --git a/reference-architecture/gce-ansible/playbooks/openshift-install.yaml b/reference-architecture/gce-ansible/playbooks/openshift-install.yaml index c2df79a62..c2c3b006a 100644 --- a/reference-architecture/gce-ansible/playbooks/openshift-install.yaml +++ b/reference-architecture/gce-ansible/playbooks/openshift-install.yaml @@ -52,3 +52,5 @@ gather_facts: no roles: - openshift-registry + +- include: validation.yaml diff --git a/reference-architecture/gce-ansible/playbooks/openshift-setup.yaml b/reference-architecture/gce-ansible/playbooks/openshift-setup.yaml index 232378e9d..eac77a1f7 100644 --- a/reference-architecture/gce-ansible/playbooks/openshift-setup.yaml +++ b/reference-architecture/gce-ansible/playbooks/openshift-setup.yaml @@ -37,14 +37,13 @@ osm_default_node_selector: "role=app" openshift_deployment_type: openshift-enterprise openshift_master_identity_providers: - - name: github - kind: GitHubIdentityProvider + - name: google + kind: GoogleIdentityProvider login: true challenge: false mapping_method: claim - clientID: e76865557b0417387b35 - clientSecret: a2439464495d6b579d25f46dd51eb05a170e7e59 - organizations: - - openshift + clientID: xxx-yyy.apps.googleusercontent.com + clientSecret: zzz + hostedDomain: example.com osm_use_cockpit: false containerized: false diff --git a/reference-architecture/gce-ansible/playbooks/roles/validate-app/tasks/main.yaml b/reference-architecture/gce-ansible/playbooks/roles/validate-app/tasks/main.yaml index 9c6871228..e1cfcfb9a 100644 --- a/reference-architecture/gce-ansible/playbooks/roles/validate-app/tasks/main.yaml +++ b/reference-architecture/gce-ansible/playbooks/roles/validate-app/tasks/main.yaml @@ -1,19 +1,23 @@ --- +- name: Gather facts + openshift_facts: + role: common + - name: Create the validation project - command: oc new-project validate + command: "{{ openshift.common.client_binary }} new-project validate" - name: Create Hello world app - shell: oc new-app --template cakephp-example + shell: "{{ openshift.common.client_binary }} new-app --template cakephp-example" - name: Wait for build to complete - shell: oc get pod | grep -v deploy | awk '/cakephp-example-1-build/{ print $3 }' + shell: "{{ openshift.common.client_binary }} get pod | grep -v deploy | awk '/cakephp-example-1-build/{ print $3 }'" register: build_output until: build_output.stdout | search("Completed") retries: 30 delay: 15 - name: Wait for App to be running - shell: oc get pod | grep -v deploy | grep -v build | awk '/cakephp-example-1-*/{print $3}' + shell: "{{ openshift.common.client_binary }} get pod | grep -v deploy | grep -v build | awk '/cakephp-example-1-*/{print $3}'" register: deployer_output until: deployer_output.stdout | search("Running") retries: 30 @@ -29,4 +33,4 @@ method: GET - name: Delete the Project - command: oc delete project validate + command: "{{ openshift.common.client_binary }} delete project validate" diff --git a/reference-architecture/gce-cli/.gitignore b/reference-architecture/gce-cli/.gitignore index cdd7c19c8..1f0748fdb 100644 --- a/reference-architecture/gce-cli/.gitignore +++ b/reference-architecture/gce-cli/.gitignore @@ -1 +1,2 @@ config.sh +ansible-config.yml diff --git a/reference-architecture/gce-cli/ansible-config.yml.tpl b/reference-architecture/gce-cli/ansible-config.yml.tpl new file mode 100644 index 000000000..64e34b517 --- /dev/null +++ b/reference-architecture/gce-cli/ansible-config.yml.tpl @@ -0,0 +1,14 @@ +--- +public_hosted_zone: ${DNS_DOMAIN} +wildcard_zone: ${OCP_APPS_DNS_NAME} +openshift_master_cluster_public_hostname: ${MASTER_DNS_NAME} +openshift_master_cluster_hostname: ${INTERNAL_MASTER_DNS_NAME} +console_port: ${CONSOLE_PORT} +openshift_hosted_router_replicas: ${INFRA_NODE_INSTANCE_GROUP_SIZE} +openshift_hosted_registry_replicas: ${INFRA_NODE_INSTANCE_GROUP_SIZE} +openshift_deployment_type: openshift-enterprise +ansible_pkg_mgr: yum +gcs_registry_bucket: ${REGISTRY_BUCKET} +gce_project_id: ${GCLOUD_PROJECT} +gce_network_name: ${OCP_NETWORK} +openshift_master_identity_providers: ${OCP_IDENTITY_PROVIDERS} diff --git a/reference-architecture/gce-cli/config.sh.example b/reference-architecture/gce-cli/config.sh.example index 6199caebb..0d93938a1 100644 --- a/reference-architecture/gce-cli/config.sh.example +++ b/reference-architecture/gce-cli/config.sh.example @@ -16,6 +16,8 @@ GCLOUD_ZONE='us-central1-a' # DNS domain which will be configured in Google Cloud DNS DNS_DOMAIN='ocp.example.com' +# Name of the DNS zone in the Google Cloud DNS. If empty, it will be created +DNS_DOMAIN_NAME='ocp-example-com' # DNS name for the Master service MASTER_DNS_NAME='master.ocp.example.com' # Internal DNS name for the Master service @@ -27,6 +29,9 @@ OCP_APPS_DNS_NAME='apps.ocp.example.com' MASTER_HTTPS_CERT_FILE="${HOME}/Downloads/master.ose.example.com.pem" MASTER_HTTPS_KEY_FILE="${HOME}/Downloads/master.ose.example.com.key" +# OpenShift Identity providers. This is Google oauth example (hosted_domain is optional and restricts login to users only from the specified domain) +OCP_IDENTITY_PROVIDERS='[ {"name": "google", "kind": "GoogleIdentityProvider", "login": "true", "challenge": "false", "mapping_method": "claim", "client_id": "xxx-yyy.apps.googleusercontent.com", "client_secret": "zzz", "hosted_domain": "example.com"} ]' + ## DEFAULT VALUES ## OCP_VERSION='3.3' @@ -78,7 +83,7 @@ ROUTER_NETWORK_LB_POOL='router-network-lb-pool' ROUTER_NETWORK_LB_IP='router-network-lb-ip' ROUTER_NETWORK_LB_RULE='router-network-lb-rule' -REGISTRY_BUCKET="gs://${GCLOUD_PROJECT}-openshift-docker-registry" +REGISTRY_BUCKET="${GCLOUD_PROJECT}-openshift-docker-registry" TEMP_INSTANCE='ocp-rhel-temp' diff --git a/reference-architecture/gce-cli/gcloud.sh b/reference-architecture/gce-cli/gcloud.sh index 995053be6..6f85669f7 100755 --- a/reference-architecture/gce-cli/gcloud.sh +++ b/reference-architecture/gce-cli/gcloud.sh @@ -105,15 +105,19 @@ RHEL_IMAGE=${RHEL_IMAGE%.qcow2} RHEL_IMAGE_GCE=${RHEL_IMAGE//[._]/-} REGISTERED_IMAGE="${RHEL_IMAGE_GCE}-registered" -# The same for the DNS managed zone name -DNS_MANAGED_ZONE=${DNS_DOMAIN//./-} +# If user doesn't provide DNS_DOMAIN_NAME, create it +if [ -z "$DNS_DOMAIN_NAME" ]; then + DNS_MANAGED_ZONE=${DNS_DOMAIN//./-} +else + DNS_MANAGED_ZONE="$DNS_DOMAIN_NAME" +fi GCLOUD_REGION=${GCLOUD_ZONE%-*} function revert { # Bucket for registry - if gsutil ls -p "$GCLOUD_PROJECT" "$REGISTRY_BUCKET" &>/dev/null; then - gsutil -m rm -r "$REGISTRY_BUCKET" + if gsutil ls -p "$GCLOUD_PROJECT" "gs://${REGISTRY_BUCKET}" &>/dev/null; then + gsutil -m rm -r "gs://${REGISTRY_BUCKET}" fi # DNS @@ -123,8 +127,6 @@ function revert { touch "$EMPTY_FILE" gcloud --project "$GCLOUD_PROJECT" dns record-sets import "$EMPTY_FILE" -z "$DNS_MANAGED_ZONE" --delete-all-existing &>/dev/null rm -f "$EMPTY_FILE" - - gcloud -q --project "$GCLOUD_PROJECT" dns managed-zones delete "$DNS_MANAGED_ZONE" fi # Router forwarding rule @@ -301,6 +303,14 @@ fi ### PROVISION THE INFRASTRUCTURE ### +# Check the DNS managed zone in Google Cloud DNS, create it if it doesn't exist and exit after printing NS servers +if ! gcloud --project "$GCLOUD_PROJECT" dns managed-zones describe "$DNS_MANAGED_ZONE" &>/dev/null; then + echo "DNS zone '${DNS_MANAGED_ZONE}' doesn't exist. It will be created and installation will stop. Please configure the following NS servers for your domain in your domain provider before proceeding with the installation:" + gcloud --project "$GCLOUD_PROJECT" dns managed-zones create "$DNS_MANAGED_ZONE" --dns-name "$DNS_DOMAIN" --description "${DNS_DOMAIN} domain" + gcloud --project "$GCLOUD_PROJECT" dns managed-zones describe "$DNS_MANAGED_ZONE" --format='value(nameServers)' | tr ';' '\n' + exit 0 +fi + # Upload image if ! gcloud --project "$GCLOUD_PROJECT" compute images describe "$RHEL_IMAGE_GCE" &>/dev/null; then echo 'Converting gcow2 image to raw image:' @@ -479,7 +489,7 @@ fi # Master backend service if ! gcloud --project "$GCLOUD_PROJECT" compute backend-services describe "$MASTER_HTTPS_LB_BACKEND" &>/dev/null; then - gcloud --project "$GCLOUD_PROJECT" compute backend-services create "$MASTER_HTTPS_LB_BACKEND" --https-health-checks "$MASTER_HTTPS_LB_HEALTH_CHECK" --port-name "$MASTER_NAMED_PORT_NAME" --protocol "HTTPS" + gcloud --project "$GCLOUD_PROJECT" compute backend-services create "$MASTER_HTTPS_LB_BACKEND" --https-health-checks "$MASTER_HTTPS_LB_HEALTH_CHECK" --port-name "$MASTER_NAMED_PORT_NAME" --protocol "HTTPS" --session-affinity "CLIENT_IP" gcloud --project "$GCLOUD_PROJECT" beta compute backend-services add-backend "$MASTER_HTTPS_LB_BACKEND" --instance-group "$MASTER_INSTANCE_GROUP" --instance-group-zone "$GCLOUD_ZONE" else echo "Backend service '${MASTER_HTTPS_LB_BACKEND}' already exists" @@ -592,13 +602,6 @@ else echo "Forwarding rule '${ROUTER_NETWORK_LB_RULE}' already exists" fi -# DNS zone -if ! gcloud --project "$GCLOUD_PROJECT" dns managed-zones describe "$DNS_MANAGED_ZONE" &>/dev/null; then - gcloud --project "$GCLOUD_PROJECT" dns managed-zones create "$DNS_MANAGED_ZONE" --dns-name "$DNS_DOMAIN" --description "${DNS_DOMAIN} domain" -else - echo "DNS zone '${DNS_MANAGED_ZONE}' already exists" -fi - # DNS record for master lb if ! gcloud --project "$GCLOUD_PROJECT" dns record-sets list -z "$DNS_MANAGED_ZONE" --name "$MASTER_DNS_NAME" 2>/dev/null | grep -q "$MASTER_DNS_NAME"; then IP=$(gcloud --project "$GCLOUD_PROJECT" compute addresses describe "$MASTER_HTTPS_LB_IP" --global --format='value(address)') @@ -631,12 +634,26 @@ else fi # Create bucket for registry -if ! gsutil ls -p "$GCLOUD_PROJECT" "$REGISTRY_BUCKET" &>/dev/null; then - gsutil mb -p "$GCLOUD_PROJECT" -l "$GCLOUD_REGION" "$REGISTRY_BUCKET" +if ! gsutil ls -p "$GCLOUD_PROJECT" "gs://${REGISTRY_BUCKET}" &>/dev/null; then + gsutil mb -p "$GCLOUD_PROJECT" -l "$GCLOUD_REGION" "gs://${REGISTRY_BUCKET}" else echo "Bucket '${REGISTRY_BUCKET}' already exists" fi +# Prepare config file for ansible based on the configuration from this script +export DNS_DOMAIN \ + OCP_APPS_DNS_NAME \ + MASTER_DNS_NAME \ + INTERNAL_MASTER_DNS_NAME \ + CONSOLE_PORT \ + INFRA_NODE_INSTANCE_GROUP_SIZE \ + REGISTRY_BUCKET \ + GCLOUD_PROJECT \ + OCP_NETWORK \ + OCP_IDENTITY_PROVIDERS +envsubst < "${DIR}/ansible-config.yml.tpl" > "${DIR}/ansible-config.yml" +gcloud --project "$GCLOUD_PROJECT" compute copy-files "${DIR}/ansible-config.yml" "cloud-user@${BASTION_INSTANCE}:" --zone "$GCLOUD_ZONE" + # Prepare bastion instance for openshift installation gcloud --project "$GCLOUD_PROJECT" compute ssh "cloud-user@${BASTION_INSTANCE}" --zone "$GCLOUD_ZONE" --ssh-flag="-t" --command "sudo sh -c ' yum install -y python-libcloud atomic-openshift-utils; @@ -645,7 +662,7 @@ gcloud --project "$GCLOUD_PROJECT" compute ssh "cloud-user@${BASTION_INSTANCE}" echo \"export GCE_PROJECT=${GCLOUD_PROJECT}\" >> /etc/profile.d/ocp.sh; fi '"; -gcloud --project "$GCLOUD_PROJECT" compute ssh "cloud-user@${BASTION_INSTANCE}" --zone "$GCLOUD_ZONE" --command "bash -c ' +gcloud --project "$GCLOUD_PROJECT" compute ssh "cloud-user@${BASTION_INSTANCE}" --zone "$GCLOUD_ZONE" --ssh-flag="-t" --command "bash -xc ' if [ ! -d ~/google-cloud-sdk ]; then curl -sSL https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-${GOOGLE_CLOUD_SDK_VERSION}-linux-x86_64.tar.gz | tar -xz; ~/google-cloud-sdk/bin/gcloud -q components update; @@ -658,4 +675,14 @@ gcloud --project "$GCLOUD_PROJECT" compute ssh "cloud-user@${BASTION_INSTANCE}" # This command will upload our public SSH key to the GCE project metadata ~/google-cloud-sdk/bin/gcloud compute ssh cloud-user@${BASTION_INSTANCE} --zone ${GCLOUD_ZONE} --command echo; + + if [ ! -d ~/openshift-ansible-contrib ]; then + git clone https://github.com/openshift/openshift-ansible-contrib.git ~/openshift-ansible-contrib; + fi + pushd ~/openshift-ansible-contrib/reference-architecture/gce-ansible; + ansible-playbook -e @~/ansible-config.yml playbooks/openshift-install.yaml; '"; + +echo +echo "Deployment is complete. OpenShift Console can be found at https://${MASTER_DNS_NAME}" +echo