rht-labs / ansible-stacks Goto Github PK
View Code? Open in Web Editor NEWAnsible playbook and roles used to creates stacks via push button infrastructure (PBI)
License: Apache License 2.0
Ansible playbook and roles used to creates stacks via push button infrastructure (PBI)
License: Apache License 2.0
May want to produce a pypi package with the a generated API model, which could allow the model itself to self validate via JSON marshaling.
When stacks goes through the project creation process, it runs oc new-project
to do the project creation. This results in the logged in user being "dropped in" to the last project that gets created, which I think would be unexpected by the user. What we probably want to do is oc adm new-project
which does not change the current project.
@etsauer the latest PR broke normal operation of ansible-stacks - see below...
TASK [create-openshift-resources : include] ************************************
included: /home/obedin/ansible-stacks/roles/create-openshift-resources/tasks/create_environment_variables_string.yml for localhost
TASK [create-openshift-resources : Add variable to environment_variables_string] ***
fatal: [localhost]: FAILED! => {
"failed": true
}
MSG:
The conditional check 'app.from_template is not defined and app.from_template == ''' failed. The error was: error while evaluating conditional (app.from_template is not defined and app.from_template == ''): 'dict object' has no attribute 'from_template'
The error appears to have been in '/home/obedin/ansible-stacks/roles/create-openshift-resources/tasks/create_environment_variables_string.yml': line 3, column 3, but may
be elsewhere in the file depending on the exact syntax problem.
The offending line appears to be:
- name: "Add variable to environment_variables_string"
^ here
to retry, use: --limit @/home/obedin/ansible-stacks/load_infra_local.retry
PLAY RECAP *********************************************************************
localhost : ok=39 changed=5 unreachable=0 failed=1
Note that the order of execution matters as there's no good way today to link a PV with a specific PVC. Hence, it's important that if a PVC is requiring a specific PV, it needs to be created in sequence - i.e.: 1) PV1, 2) PVC1, 3) PV2, 4) PVC2, etc.
Notably, https://github.com/rht-labs/ansible-stacks/blob/master/playbooks/load_infra.yml does not use create-identities
The route should include supporting TLS passthrough as a minimum, e.g.: steps documented starting with step 4 as part of setting up the route for the registry:
https://docs.openshift.com/enterprise/3.2/install_config/install/docker_registry.html#exposing-the-registry
See the code in promote_image_oc.yml
oc policy add-role-to-group system:image-puller system:serviceaccounts:testing -n development
the role_binding in ansible-stacks
right now only supports add-role-to-user
and not add-role-to-group
See corresponding issue: rht-labs/api-design#31
See #71.
We need to:
Must be able to add users to an idm
Must be able to add groups to an idm
Must be able to add users to groups in an idm
Failure Scenario
When a dockerfile declares a VOLUME
, (e.g. Nexus ) the oc new-app
command will create a deployconfig that generates the following:
volumes:
- name: nexus-volume-1
In order for oc volume --add --overwrite
to work properly (i.e. configure the volume association) the API object needs to use the same naming convention.
Enhancement Request
Add automation to detect this scenario and allow the configuration to be overwritten regardless of naming
Possible Impls
Related To
#66
Right now an issue for the fabric8 bootstrap, but will be an issue elsewhere. We should check that a successful build has already happened, and if so, skip the steps.
Currently this is hardcoded, leaving the end user no recourse in scenarios where builds take longer than the provided defaults.
When adding a PVC claim to an app, that already exists, the ansible role will fail in it's current state. The add should use the --overwrite
flag as described here:
https://docs.openshift.com/container-platform/3.3/dev_guide/volumes.html#updating-volumes
The common example here is a database image, which ansible stacks will deploy but not associate with a build config. We should only promote image streams from one project to another in the event that the app
has a build_tool
defined and that build_tool != 'none'
.
Without this logic, the playbook will fail because there was no image-stream created with the applications name in the source project.
We currently use docker pull/tag/push
which is useful from non-prod to prod clusters, but if the projects are in the same cluster, there really is little benefit here, plus it's slow. We should support oc tag
if the projects are in the same cluster.
Largely a language change
We are passing in an engagement to ansible like so:
{
"openshift_clusters": { ...},
"users",
"groups"
}
This is causing a problem because access groups {{ groups }}
is reserved for ansible
engagement should be at the root object to avoid namespace issues
Right now the impl prefixes http://
and postfixes /
. We should add some string processing to remove these additions if the user provides them. In fact, the http://
should probably just go away so we can support https
The current logic for account creation resolves around using apps
. The API has been updated to reflect the notion of a project.pipelines
rht-labs/api-design#74, so this concept should be used to drive account creation.
It probably makes the most sense to refactor existing role logic into a module
The create_preqs_for_pipeline.yml
task is responsible for creating service accounts to support image tagging as well as actually creating the tags which create image streams between projects. Right, the following conditional is evaluated before running this task, which doesn't seem to properly model the use case for deploying images from docker hub (e.g. nexus)
when: get_app_name_result.rc == 1 and project.environment_type is defined and project.environment_type == 'promotion' and app.name in imagestreams_to_promote
Currently you can pass in hostname or port for default
Will require some parameter to identify location of Jenkins API
There is no clean or documented way to override the cluster url defined in the API doc. There are many times when you want to separate the API doc from the specific cluster it's being run in, so we need to provide a way to handle this short term.
Long term, we need to resolve rht-labs/api-design#1
Binary s2i builds for compiled languages need a hello-world app and ansible logic to deploy that app on resource creation because OCP should not be responsible for building this artifact. reference how this done with fabric8 s2i for fat jars in tasks/fabric8_java_s2i_build.yml
Currently an issue for Jenkins PVs
This currently supported as a private feature of stacks. See #71
This is producing warnings that are ominous like the below:
TASK [create-openshift-resources : include] ************************************
[DEPRECATION WARNING]: Skipping task due to undefined Error, in the future this will be a fatal error.: 'openshift_resources'
is undefined.
This feature will be removed in a future release. Deprecation warnings can be disabled by setting
deprecation_warnings=False in ansible.cfg.
This feature will model templates as part of a project, not as an application. The current model is built around that applications are driven by oc new-app
, and thus merging these two concepts is leading to conflicts as seen with #89 #88 #80. Modelling templates as part of a project allows use to clearly separate concerns in our model, as well as our implementation.
So projects can be shared amongst a team per the new api model
Enhanced support needed for environment variables to support ldap (currently breaking.
need to be able to handle something like:
dc=bla,dc=maw,dc=car,dc=floor,dc=labs,dc=com
as a single environment variable
A build
stage denotes an openshift project that performs s2i such that the resulting image can be pushed other projects, called promotion
stages. It is common to segregate multiple apps into different build
stages to fence off resource quotas between apps. The current implementation will pause for all s2i builds in a single build
stage to finish before moving on to the subsequent promotion stage. However; this means that if there are multiple build
stages, their builds will happen in serial, which dramatically slows down the playbook.
To optimize around this, we would need to reorganize the playbook to create all build
projects first, before creating any promotion projects. This is likely a significant refactor, so there needs to be a real business justification to do it.
Problem Description
To do this with oc new-app
, you must support oc new-app <namespace>/<image>
. Current impl only supports oc new-app --image-stream=<is>
Workaround
using scm_url
will produce desired results
Related To
#67
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.