rht-labs / ansible-stacks Goto Github PK

May want to produce a pypi package with the a generated API model, which could allow the model itself to self validate via JSON marshaling.

When stacks goes through the project creation process, it runs oc new-project to do the project creation. This results in the logged in user being "dropped in" to the last project that gets created, which I think would be unexpected by the user. What we probably want to do is oc adm new-project which does not change the current project.

@etsauer the latest PR broke normal operation of ansible-stacks - see below...

TASK [create-openshift-resources : include] ************************************
included: /home/obedin/ansible-stacks/roles/create-openshift-resources/tasks/create_environment_variables_string.yml for localhost

TASK [create-openshift-resources : Add variable to environment_variables_string] ***
fatal: [localhost]: FAILED! => {
    "failed": true
}

MSG:

The conditional check 'app.from_template is not defined and app.from_template == ''' failed. The error was: error while evaluating conditional (app.from_template is not defined and app.from_template == ''): 'dict object' has no attribute 'from_template'

The error appears to have been in '/home/obedin/ansible-stacks/roles/create-openshift-resources/tasks/create_environment_variables_string.yml': line 3, column 3, but may
be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:


- name: "Add variable to environment_variables_string"
  ^ here


	to retry, use: --limit @/home/obedin/ansible-stacks/load_infra_local.retry

PLAY RECAP *********************************************************************
localhost                  : ok=39   changed=5    unreachable=0    failed=1   

Note that the order of execution matters as there's no good way today to link a PV with a specific PVC. Hence, it's important that if a PVC is requiring a specific PV, it needs to be created in sequence - i.e.: 1) PV1, 2) PVC1, 3) PV2, 4) PVC2, etc.

Notably, https://github.com/rht-labs/ansible-stacks/blob/master/playbooks/load_infra.yml does not use create-identities

The route should include supporting TLS passthrough as a minimum, e.g.: steps documented starting with step 4 as part of setting up the route for the registry:
https://docs.openshift.com/enterprise/3.2/install_config/install/docker_registry.html#exposing-the-registry

See the code in promote_image_oc.yml

https://github.com/rht-labs/api-design

oc policy add-role-to-group system:image-puller system:serviceaccounts:testing -n development

the role_binding in ansible-stacks right now only supports add-role-to-user and not add-role-to-group

See corresponding issue: rht-labs/api-design#31

See https://github.com/sherl0cks/ansible-stacks/blob/ports-and-hostname/roles/create-openshift-resources/tasks/configure_networking.yml#L2

https://github.com/rht-labs/ansible-stacks/pull/6/files#r76446771

#6 (comment)

See #71.

We need to:

• move the test data into it's own test
• add info to the README to indicate that this is a private feature not supported in https://github.com/rht-labs/api-design/blob/master/swagger.yaml

https://github.com/rht-labs/ansible-stacks/pull/6/files#diff-749e4a03b3953737c381c299f946bab1R86

Must be able to add users to an idm
Must be able to add groups to an idm
Must be able to add users to groups in an idm

#6 (comment)

Failure Scenario

When a dockerfile declares a VOLUME, (e.g. Nexus ) the oc new-app command will create a deployconfig that generates the following:

      volumes:                                                                                                                                                                                                                         
      - name: nexus-volume-1                                                                                                                                                                                                           

In order for oc volume --add --overwrite to work properly (i.e. configure the volume association) the API object needs to use the same naming convention.

Enhancement Request
Add automation to detect this scenario and allow the configuration to be overwritten regardless of naming

Possible Impls

• Delete the pvc on the DC and then add a new one

Related To
#66

Right now an issue for the fabric8 bootstrap, but will be an issue elsewhere. We should check that a successful build has already happened, and if so, skip the steps.

Currently this is hardcoded, leaving the end user no recourse in scenarios where builds take longer than the provided defaults.

When adding a PVC claim to an app, that already exists, the ansible role will fail in it's current state. The add should use the --overwrite flag as described here:
https://docs.openshift.com/container-platform/3.3/dev_guide/volumes.html#updating-volumes

The common example here is a database image, which ansible stacks will deploy but not associate with a build config. We should only promote image streams from one project to another in the event that the app has a build_tool defined and that build_tool != 'none'.

Without this logic, the playbook will fail because there was no image-stream created with the applications name in the source project.

We currently use docker pull/tag/push which is useful from non-prod to prod clusters, but if the projects are in the same cluster, there really is little benefit here, plus it's slow. We should support oc tag if the projects are in the same cluster.

See example update_container_ports.py

https://github.com/rht-labs/ansible-stacks/blob/master/roles/create-openshift-resources/tasks/create_labels_string.yml

https://github.com/rht-labs/ansible-stacks/blob/master/roles/create-openshift-resources/tasks/create_environment_variables_string.yml

Largely a language change

https://github.com/rht-labs/api-design/tree/v0.2.0

We are passing in an engagement to ansible like so:

{
"openshift_clusters": { ...},
"users",
"groups"
}

This is causing a problem because access groups {{ groups }} is reserved for ansible

engagement should be at the root object to avoid namespace issues

Right now the impl prefixes http:// and postfixes /. We should add some string processing to remove these additions if the user provides them. In fact, the http:// should probably just go away so we can support https

The current logic for account creation resolves around using apps. The API has been updated to reflect the notion of a project.pipelines rht-labs/api-design#74, so this concept should be used to drive account creation.

It probably makes the most sense to refactor existing role logic into a module

The create_preqs_for_pipeline.yml task is responsible for creating service accounts to support image tagging as well as actually creating the tags which create image streams between projects. Right, the following conditional is evaluated before running this task, which doesn't seem to properly model the use case for deploying images from docker hub (e.g. nexus)

when: get_app_name_result.rc == 1 and project.environment_type is defined and project.environment_type == 'promotion' and app.name in imagestreams_to_promote

Currently you can pass in hostname or port for default

Will require some parameter to identify location of Jenkins API

There is no clean or documented way to override the cluster url defined in the API doc. There are many times when you want to separate the API doc from the specific cluster it's being run in, so we need to provide a way to handle this short term.

Long term, we need to resolve rht-labs/api-design#1

Binary s2i builds for compiled languages need a hello-world app and ansible logic to deploy that app on resource creation because OCP should not be responsible for building this artifact. reference how this done with fabric8 s2i for fat jars in tasks/fabric8_java_s2i_build.yml

Currently an issue for Jenkins PVs

https://docs.openshift.com/container-platform/3.3/install_config/persistent_storage/persistent_storage_nfs.html#nfs-supplemental-groups

This currently supported as a private feature of stacks. See #71

This is producing warnings that are ominous like the below:

TASK [create-openshift-resources : include] ************************************
[DEPRECATION WARNING]: Skipping task due to undefined Error, in the future this will be a fatal error.: 'openshift_resources' 
is undefined.
This feature will be removed in a future release. Deprecation warnings can be disabled by setting 
deprecation_warnings=False in ansible.cfg.

This feature will model templates as part of a project, not as an application. The current model is built around that applications are driven by oc new-app, and thus merging these two concepts is leading to conflicts as seen with #89 #88 #80. Modelling templates as part of a project allows use to clearly separate concerns in our model, as well as our implementation.

So projects can be shared amongst a team per the new api model

Enhanced support needed for environment variables to support ldap (currently breaking.

need to be able to handle something like:

dc=bla,dc=maw,dc=car,dc=floor,dc=labs,dc=com

as a single environment variable

A build stage denotes an openshift project that performs s2i such that the resulting image can be pushed other projects, called promotion stages. It is common to segregate multiple apps into different build stages to fence off resource quotas between apps. The current implementation will pause for all s2i builds in a single build stage to finish before moving on to the subsequent promotion stage. However; this means that if there are multiple build stages, their builds will happen in serial, which dramatically slows down the playbook.

To optimize around this, we would need to reorganize the playbook to create all build projects first, before creating any promotion projects. This is likely a significant refactor, so there needs to be a real business justification to do it.

Problem Description

To do this with oc new-app, you must support oc new-app <namespace>/<image>. Current impl only supports oc new-app --image-stream=<is>

Workaround

using scm_url will produce desired results

Related To
#67