First version of integrated shell script and ansible playbooks

reference-architecture/gce-ansible/README.md

@@ -27,17 +27,3 @@ ansible-playbook -e 'public_hosted_zone=ocp.example.com \
     gce_network_name=ocp-network' \
     playbooks/openshift-install.yaml
 ```
-
-## Verification and demo application
-
-To verify the deployment works properly, run the `validation.yaml` playbook. To deploy simple demo application, use the `demo.yaml` playbook.
-
-```
-ansible-playbook -e 'openshift_master_cluster_public_hostname=\
-openshift-master.ocp.example.com \
-    openshift_master_cluster_hostname=\
-internal-openshift-master.ocp.example.com \
-    wildcard_zone=apps.ocp.example.com \
-    console_port=443' \
-    playbooks/validation.yaml
-```

reference-architecture/gce-ansible/playbooks/openshift-install.yaml

@@ -52,3 +52,5 @@
   gather_facts: no
   roles:
     - openshift-registry
+
+- include: validation.yaml

reference-architecture/gce-ansible/playbooks/openshift-setup.yaml

@@ -37,14 +37,13 @@
     osm_default_node_selector: "role=app"
     openshift_deployment_type: openshift-enterprise
     openshift_master_identity_providers:
-    - name: github
-      kind: GitHubIdentityProvider
+    - name: google
+      kind: GoogleIdentityProvider
       login: true
       challenge: false
       mapping_method: claim
-      clientID: e76865557b0417387b35
-      clientSecret: a2439464495d6b579d25f46dd51eb05a170e7e59
-      organizations:
-      - openshift
+      clientID: xxx-yyy.apps.googleusercontent.com
+      clientSecret: zzz
+      hostedDomain: example.com
     osm_use_cockpit: false
     containerized: false

reference-architecture/gce-ansible/playbooks/roles/validate-app/tasks/main.yaml

@@ -1,19 +1,23 @@
 ---
+- name: Gather facts
+  openshift_facts:
+    role: common
+
 - name: Create the validation project
-  command: oc new-project validate
+  command: "{{ openshift.common.client_binary }} new-project validate"
 
 - name: Create Hello world app
-  shell: oc new-app --template cakephp-example
+  shell: "{{ openshift.common.client_binary }} new-app --template cakephp-example"
 
 - name: Wait for build to complete
-  shell: oc get pod | grep -v deploy | awk '/cakephp-example-1-build/{ print $3 }'
+  shell: "{{ openshift.common.client_binary }} get pod | grep -v deploy | awk '/cakephp-example-1-build/{ print $3 }'"
   register: build_output
   until: build_output.stdout | search("Completed")
   retries: 30
   delay: 15
 
 - name: Wait for App to be running
-  shell: oc get pod | grep -v deploy | grep -v build  | awk '/cakephp-example-1-*/{print $3}'
+  shell: "{{ openshift.common.client_binary }} get pod | grep -v deploy | grep -v build  | awk '/cakephp-example-1-*/{print $3}'"
   register: deployer_output
   until: deployer_output.stdout | search("Running")
   retries: 30
@@ -29,4 +33,4 @@
      method: GET
 
 - name: Delete the Project
-  command: oc delete project validate
+  command: "{{ openshift.common.client_binary }} delete project validate"

reference-architecture/gce-cli/.gitignore

@@ -1 +1,2 @@
 config.sh
+ansible-config.yml

reference-architecture/gce-cli/ansible-config.yml.tpl

@@ -0,0 +1,14 @@
+---
+public_hosted_zone: ${DNS_DOMAIN}
+wildcard_zone: ${OCP_APPS_DNS_NAME}
+openshift_master_cluster_public_hostname: ${MASTER_DNS_NAME}
+openshift_master_cluster_hostname: ${INTERNAL_MASTER_DNS_NAME}
+console_port: ${CONSOLE_PORT}
+openshift_hosted_router_replicas: ${INFRA_NODE_INSTANCE_GROUP_SIZE}
+openshift_hosted_registry_replicas: ${INFRA_NODE_INSTANCE_GROUP_SIZE}
+openshift_deployment_type: openshift-enterprise
+ansible_pkg_mgr: yum
+gcs_registry_bucket: ${REGISTRY_BUCKET}
+gce_project_id: ${GCLOUD_PROJECT}
+gce_network_name: ${OCP_NETWORK}
+openshift_master_identity_providers: ${OCP_IDENTITY_PROVIDERS}

reference-architecture/gce-cli/config.sh.example

@@ -16,6 +16,8 @@ GCLOUD_ZONE='us-central1-a'
 
 # DNS domain which will be configured in Google Cloud DNS
 DNS_DOMAIN='ocp.example.com'
+# Name of the DNS zone in the Google Cloud DNS. If empty, it will be created
+DNS_DOMAIN_NAME='ocp-example-com'
 # DNS name for the Master service
 MASTER_DNS_NAME='master.ocp.example.com'
 # Internal DNS name for the Master service
@@ -27,6 +29,9 @@ OCP_APPS_DNS_NAME='apps.ocp.example.com'
 MASTER_HTTPS_CERT_FILE="${HOME}/Downloads/master.ose.example.com.pem"
 MASTER_HTTPS_KEY_FILE="${HOME}/Downloads/master.ose.example.com.key"
 
+# OpenShift Identity providers. This is Google oauth example (hosted_domain is optional and restricts login to users only from the specified domain)
+OCP_IDENTITY_PROVIDERS='[ {"name": "google", "kind": "GoogleIdentityProvider", "login": "true", "challenge": "false", "mapping_method": "claim", "client_id": "xxx-yyy.apps.googleusercontent.com", "client_secret": "zzz", "hosted_domain": "example.com"} ]'
+
 ## DEFAULT VALUES ##
 
 OCP_VERSION='3.3'
@@ -78,7 +83,7 @@ ROUTER_NETWORK_LB_POOL='router-network-lb-pool'
 ROUTER_NETWORK_LB_IP='router-network-lb-ip'
 ROUTER_NETWORK_LB_RULE='router-network-lb-rule'
 
-REGISTRY_BUCKET="gs://${GCLOUD_PROJECT}-openshift-docker-registry"
+REGISTRY_BUCKET="${GCLOUD_PROJECT}-openshift-docker-registry"
 
 TEMP_INSTANCE='ocp-rhel-temp'
 

reference-architecture/gce-cli/gcloud.sh

@@ -105,15 +105,19 @@ RHEL_IMAGE=${RHEL_IMAGE%.qcow2}
 RHEL_IMAGE_GCE=${RHEL_IMAGE//[._]/-}
 REGISTERED_IMAGE="${RHEL_IMAGE_GCE}-registered"
 
-# The same for the DNS managed zone name
-DNS_MANAGED_ZONE=${DNS_DOMAIN//./-}
+# If user doesn't provide DNS_DOMAIN_NAME, create it
+if [ -z "$DNS_DOMAIN_NAME" ]; then
+    DNS_MANAGED_ZONE=${DNS_DOMAIN//./-}
+else
+    DNS_MANAGED_ZONE="$DNS_DOMAIN_NAME"
+fi
 
 GCLOUD_REGION=${GCLOUD_ZONE%-*}
 
 function revert {
     # Bucket for registry
-    if gsutil ls -p "$GCLOUD_PROJECT" "$REGISTRY_BUCKET" &>/dev/null; then
-        gsutil -m rm -r "$REGISTRY_BUCKET"
+    if gsutil ls -p "$GCLOUD_PROJECT" "gs://${REGISTRY_BUCKET}" &>/dev/null; then
+        gsutil -m rm -r "gs://${REGISTRY_BUCKET}"
     fi
 
     # DNS
@@ -123,8 +127,6 @@ function revert {
         touch "$EMPTY_FILE"
         gcloud --project "$GCLOUD_PROJECT" dns record-sets import "$EMPTY_FILE" -z "$DNS_MANAGED_ZONE" --delete-all-existing &>/dev/null
         rm -f "$EMPTY_FILE"
-
-        gcloud -q --project "$GCLOUD_PROJECT" dns managed-zones delete "$DNS_MANAGED_ZONE"
     fi
 
     # Router forwarding rule
@@ -301,6 +303,14 @@ fi
 
 ### PROVISION THE INFRASTRUCTURE ###
 
+# Check the DNS managed zone in Google Cloud DNS, create it if it doesn't exist and exit after printing NS servers
+if ! gcloud --project "$GCLOUD_PROJECT" dns managed-zones describe "$DNS_MANAGED_ZONE" &>/dev/null; then
+    echo "DNS zone '${DNS_MANAGED_ZONE}' doesn't exist. It will be created and installation will stop. Please configure the following NS servers for your domain in your domain provider before proceeding with the installation:"
+    gcloud --project "$GCLOUD_PROJECT" dns managed-zones create "$DNS_MANAGED_ZONE" --dns-name "$DNS_DOMAIN" --description "${DNS_DOMAIN} domain"
+    gcloud --project "$GCLOUD_PROJECT" dns managed-zones describe "$DNS_MANAGED_ZONE" --format='value(nameServers)' | tr ';' '\n'
+    exit 0
+fi
+
 # Upload image
 if ! gcloud --project "$GCLOUD_PROJECT" compute images describe "$RHEL_IMAGE_GCE" &>/dev/null; then
     echo 'Converting gcow2 image to raw image:'
@@ -479,7 +489,7 @@ fi
 
 # Master backend service
 if ! gcloud --project "$GCLOUD_PROJECT" compute backend-services describe "$MASTER_HTTPS_LB_BACKEND" &>/dev/null; then
-    gcloud --project "$GCLOUD_PROJECT" compute backend-services create "$MASTER_HTTPS_LB_BACKEND" --https-health-checks "$MASTER_HTTPS_LB_HEALTH_CHECK" --port-name "$MASTER_NAMED_PORT_NAME" --protocol "HTTPS"
+    gcloud --project "$GCLOUD_PROJECT" compute backend-services create "$MASTER_HTTPS_LB_BACKEND" --https-health-checks "$MASTER_HTTPS_LB_HEALTH_CHECK" --port-name "$MASTER_NAMED_PORT_NAME" --protocol "HTTPS" --session-affinity "CLIENT_IP"
     gcloud --project "$GCLOUD_PROJECT" beta compute backend-services add-backend "$MASTER_HTTPS_LB_BACKEND" --instance-group "$MASTER_INSTANCE_GROUP" --instance-group-zone "$GCLOUD_ZONE"
 else
     echo "Backend service '${MASTER_HTTPS_LB_BACKEND}' already exists"
@@ -592,13 +602,6 @@ else
     echo "Forwarding rule '${ROUTER_NETWORK_LB_RULE}' already exists"
 fi
 
-# DNS zone
-if ! gcloud --project "$GCLOUD_PROJECT" dns managed-zones describe "$DNS_MANAGED_ZONE" &>/dev/null; then
-    gcloud --project "$GCLOUD_PROJECT" dns managed-zones create "$DNS_MANAGED_ZONE" --dns-name "$DNS_DOMAIN" --description "${DNS_DOMAIN} domain"
-else
-    echo "DNS zone '${DNS_MANAGED_ZONE}' already exists"
-fi
-
 # DNS record for master lb
 if ! gcloud --project "$GCLOUD_PROJECT" dns record-sets list -z "$DNS_MANAGED_ZONE" --name "$MASTER_DNS_NAME" 2>/dev/null | grep -q "$MASTER_DNS_NAME"; then
     IP=$(gcloud --project "$GCLOUD_PROJECT" compute addresses describe "$MASTER_HTTPS_LB_IP" --global --format='value(address)')
@@ -631,12 +634,26 @@ else
 fi
 
 # Create bucket for registry
-if ! gsutil ls -p "$GCLOUD_PROJECT" "$REGISTRY_BUCKET" &>/dev/null; then
-    gsutil mb -p "$GCLOUD_PROJECT" -l "$GCLOUD_REGION" "$REGISTRY_BUCKET"
+if ! gsutil ls -p "$GCLOUD_PROJECT" "gs://${REGISTRY_BUCKET}" &>/dev/null; then
+    gsutil mb -p "$GCLOUD_PROJECT" -l "$GCLOUD_REGION" "gs://${REGISTRY_BUCKET}"
 else
     echo "Bucket '${REGISTRY_BUCKET}' already exists"
 fi
 
+# Prepare config file for ansible based on the configuration from this script
+export DNS_DOMAIN \
+    OCP_APPS_DNS_NAME \
+    MASTER_DNS_NAME \
+    INTERNAL_MASTER_DNS_NAME \
+    CONSOLE_PORT \
+    INFRA_NODE_INSTANCE_GROUP_SIZE \
+    REGISTRY_BUCKET \
+    GCLOUD_PROJECT \
+    OCP_NETWORK \
+    OCP_IDENTITY_PROVIDERS
+envsubst < "${DIR}/ansible-config.yml.tpl" > "${DIR}/ansible-config.yml"
+gcloud --project "$GCLOUD_PROJECT" compute copy-files "${DIR}/ansible-config.yml" "cloud-user@${BASTION_INSTANCE}:" --zone "$GCLOUD_ZONE"
+
 # Prepare bastion instance for openshift installation
 gcloud --project "$GCLOUD_PROJECT" compute ssh "cloud-user@${BASTION_INSTANCE}" --zone "$GCLOUD_ZONE" --ssh-flag="-t" --command "sudo sh -c '
     yum install -y python-libcloud atomic-openshift-utils;
@@ -645,7 +662,7 @@ gcloud --project "$GCLOUD_PROJECT" compute ssh "cloud-user@${BASTION_INSTANCE}"
         echo \"export GCE_PROJECT=${GCLOUD_PROJECT}\" >> /etc/profile.d/ocp.sh;
     fi
 '";
-gcloud --project "$GCLOUD_PROJECT" compute ssh "cloud-user@${BASTION_INSTANCE}" --zone "$GCLOUD_ZONE" --command "bash -c '
+gcloud --project "$GCLOUD_PROJECT" compute ssh "cloud-user@${BASTION_INSTANCE}" --zone "$GCLOUD_ZONE" --ssh-flag="-t" --command "bash -xc '
     if [ ! -d ~/google-cloud-sdk ]; then
         curl -sSL https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-sdk-${GOOGLE_CLOUD_SDK_VERSION}-linux-x86_64.tar.gz | tar -xz;
         ~/google-cloud-sdk/bin/gcloud -q components update;
@@ -658,4 +675,14 @@ gcloud --project "$GCLOUD_PROJECT" compute ssh "cloud-user@${BASTION_INSTANCE}"
 
     # This command will upload our public SSH key to the GCE project metadata
     ~/google-cloud-sdk/bin/gcloud compute ssh cloud-user@${BASTION_INSTANCE} --zone ${GCLOUD_ZONE} --command echo;
+
+    if [ ! -d ~/openshift-ansible-contrib ]; then
+        git clone https://github.com/openshift/openshift-ansible-contrib.git ~/openshift-ansible-contrib;
+    fi
+    pushd ~/openshift-ansible-contrib/reference-architecture/gce-ansible;
+    ansible-playbook -e @~/ansible-config.yml playbooks/openshift-install.yaml;
 '";
+
+echo
+echo "Deployment is complete. OpenShift Console can be found at https://${MASTER_DNS_NAME}"
+echo