From c9fd62a2092c43f290610172f475342954b3c061 Mon Sep 17 00:00:00 2001 From: sankar palanivel Date: Fri, 1 Oct 2021 15:40:01 +0100 Subject: [PATCH] Add ansible roles to configure nolabs nodes In this change, - Add ansible role to configure nolabs provisioned jumphost & k8s nodes which will allow users to login with `nordix` user from their local machine - Also, this ansible role will be included in the k8s & ONAP deployment multijobs which will be requested from self-service portal UI. Change-Id: I593c9fd99771795d0c75396c40c95c9df142b98c --- infra/configure_admin_user_access/deploy.sh | 35 ++++++++ .../configure-admin-user-access.yaml | 41 +++++++++ .../tasks/configure-jumphost.yaml | 84 +++++++++++++++++++ .../tasks/configure-targethosts.yaml | 66 +++++++++++++++ .../vars/main.yaml | 28 +++++++ infra/configure_k8s_admin_config/deploy.sh | 35 ++++++++ .../playbooks/configure-k8s-admin-config.yaml | 31 +++++++ .../tasks/configure-jumphost.yaml | 73 ++++++++++++++++ .../configure-k8s-admin-config/vars/main.yaml | 42 ++++++++++ 9 files changed, 435 insertions(+) create mode 100755 infra/configure_admin_user_access/deploy.sh create mode 100644 infra/configure_admin_user_access/playbooks/configure-admin-user-access.yaml create mode 100644 infra/configure_admin_user_access/playbooks/roles/configure-admin-user-access/tasks/configure-jumphost.yaml create mode 100644 infra/configure_admin_user_access/playbooks/roles/configure-admin-user-access/tasks/configure-targethosts.yaml create mode 100644 infra/configure_admin_user_access/playbooks/roles/configure-admin-user-access/vars/main.yaml create mode 100755 infra/configure_k8s_admin_config/deploy.sh create mode 100644 infra/configure_k8s_admin_config/playbooks/configure-k8s-admin-config.yaml create mode 100644 infra/configure_k8s_admin_config/playbooks/roles/configure-k8s-admin-config/tasks/configure-jumphost.yaml create mode 100644 infra/configure_k8s_admin_config/playbooks/roles/configure-k8s-admin-config/vars/main.yaml diff --git a/infra/configure_admin_user_access/deploy.sh b/infra/configure_admin_user_access/deploy.sh new file mode 100755 index 0000000..fb07ee8 --- /dev/null +++ b/infra/configure_admin_user_access/deploy.sh @@ -0,0 +1,35 @@ +#!/bin/bash +# ============LICENSE_START======================================================= +# Copyright (C) 2021 The Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +set -o errexit +set -o nounset +set -o pipefail + +#------------------------------------------------------------------------------- +# Configure Admin User Access +#------------------------------------------------------------------------------- +echo "Info: Configuring admin user access" +echo "-------------------------------------------------------------------------" + +export INVENTORY_FILE="${INVENTORY_FILE:-/tmp/inventory.ini}" + +ansible-playbook -i "$INVENTORY_FILE" playbooks/configure-admin-user-access.yaml + + +# vim: set ts=2 sw=2 expandtab: \ No newline at end of file diff --git a/infra/configure_admin_user_access/playbooks/configure-admin-user-access.yaml b/infra/configure_admin_user_access/playbooks/configure-admin-user-access.yaml new file mode 100644 index 0000000..30b4a5d --- /dev/null +++ b/infra/configure_admin_user_access/playbooks/configure-admin-user-access.yaml @@ -0,0 +1,41 @@ +--- +# ============LICENSE_START======================================================= +# Copyright (C) 2021 The Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +- hosts: jumphost + gather_facts: true + become: false + + tasks: + - name: Configure admin user in jumphost + include_role: + name: configure-admin-user-access + tasks_from: configure-jumphost.yaml + +- hosts: baremetal + gather_facts: true + become: false + + tasks: + - name: Configure admin user in targethosts + include_role: + name: configure-admin-user-access + tasks_from: configure-targethosts.yaml + + +# vim: set ts=2 sw=2 expandtab: \ No newline at end of file diff --git a/infra/configure_admin_user_access/playbooks/roles/configure-admin-user-access/tasks/configure-jumphost.yaml b/infra/configure_admin_user_access/playbooks/roles/configure-admin-user-access/tasks/configure-jumphost.yaml new file mode 100644 index 0000000..af74252 --- /dev/null +++ b/infra/configure_admin_user_access/playbooks/roles/configure-admin-user-access/tasks/configure-jumphost.yaml @@ -0,0 +1,84 @@ +--- +# ============LICENSE_START======================================================= +# Copyright (C) 2021 The Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +- name: Check if '{{ admin_user }}' exists on target nodes + command: id -a {{ admin_user }} + changed_when: false + register: user_check + ignore_errors: true + +- name: Create '{{ admin_user }}' on target nodes + user: + name: "{{ admin_user }}" + groups: sudo + append: true + shell: /bin/bash + when: user_check.rc == 1 + +- name: Create directory '{{ admin_user_ssh_dir }}' on target nodes + file: + path: "{{ admin_user_ssh_dir }}" + state: directory + owner: "{{ admin_user }}" + group: "{{ admin_user }}" + mode: 0700 + +- name: Append ssh public key to authorized_keys on target nodes + lineinfile: + path: "{{ admin_user_ssh_dir }}/authorized_keys" + line: "{{ lookup('file', '{{ nolabs_user_public_key }}') }}" + create: true + state: present + owner: "{{ admin_user }}" + group: "{{ admin_user }}" + mode: 0600 + +- name: Create SSH keypair for '{{ admin_user }}' + openssh_keypair: + path: "{{ admin_user_private_key }}" + type: rsa + size: 4096 + state: present + owner: "{{ admin_user }}" + group: "{{ admin_user }}" + mode: 0600 + +- name: Fetch '{{ admin_user }}' SSH public key + fetch: + src: "{{ admin_user_public_key }}" + dest: "{{ admin_user_jumphost_public_key }}" + flat: true + remote_src: true + force: true + +- name: Enable passwordless sudo on target nodes + lineinfile: + path: /etc/sudoers + line: "{{ admin_user }} ALL=(ALL:ALL) NOPASSWD: ALL" + +- name: Remove nordix ssh keys + file: + path: /root/.ssh/{{ item }} + state: absent + with_items: + - id_rsa + - id_rsa.pub + - authorized_keys + +# vim: set ts=2 sw=2 expandtab: \ No newline at end of file diff --git a/infra/configure_admin_user_access/playbooks/roles/configure-admin-user-access/tasks/configure-targethosts.yaml b/infra/configure_admin_user_access/playbooks/roles/configure-admin-user-access/tasks/configure-targethosts.yaml new file mode 100644 index 0000000..860b647 --- /dev/null +++ b/infra/configure_admin_user_access/playbooks/roles/configure-admin-user-access/tasks/configure-targethosts.yaml @@ -0,0 +1,66 @@ +--- +# ============LICENSE_START======================================================= +# Copyright (C) 2021 The Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +- name: Check if '{{ admin_user }}' exists on target nodes + command: id -a {{ admin_user }} + changed_when: false + register: user_check + ignore_errors: true + +- name: Create '{{ admin_user }}' on target nodes + user: + name: "{{ admin_user }}" + groups: sudo + append: true + shell: /bin/bash + when: user_check.rc == 1 + +- name: Create directory '{{ admin_user_ssh_dir }}' on target nodes + file: + path: "{{ admin_user_ssh_dir }}" + state: directory + owner: "{{ admin_user }}" + group: "{{ admin_user }}" + mode: 0700 + +- name: Append ssh public key to authorized_keys on target nodes + lineinfile: + path: "{{ admin_user_ssh_dir }}/authorized_keys" + line: "{{ lookup('file', '{{ admin_user_jumphost_public_key }}') }}" + create: true + state: present + owner: "{{ admin_user }}" + group: "{{ admin_user }}" + mode: 0600 + +- name: Enable passwordless sudo on target nodes + lineinfile: + path: /etc/sudoers + line: "{{ admin_user }} ALL=(ALL:ALL) NOPASSWD: ALL" + +- name: Remove nordix ssh keys + file: + path: /root/.ssh/{{ item }} + state: absent + with_items: + - id_rsa + - id_rsa.pub + - authorized_keys + +# vim: set ts=2 sw=2 expandtab: \ No newline at end of file diff --git a/infra/configure_admin_user_access/playbooks/roles/configure-admin-user-access/vars/main.yaml b/infra/configure_admin_user_access/playbooks/roles/configure-admin-user-access/vars/main.yaml new file mode 100644 index 0000000..7292c81 --- /dev/null +++ b/infra/configure_admin_user_access/playbooks/roles/configure-admin-user-access/vars/main.yaml @@ -0,0 +1,28 @@ +--- +# ============LICENSE_START======================================================= +# Copyright (C) 2021 The Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +# ------------------------------------------------------------------------------- +# Admin User Setup +# ------------------------------------------------------------------------------- +admin_user: 'nordix' +admin_user_ssh_dir: "/home/{{ admin_user }}/.ssh" +admin_user_private_key: "/home/{{ admin_user }}/.ssh/id_rsa" +admin_user_public_key: "/home/{{ admin_user }}/.ssh/id_rsa.pub" +admin_user_jumphost_public_key: "/tmp/{{ admin_user }}_id_rsa.pub" +nolabs_user_public_key: "/tmp/nolabs/id_rsa.pub" \ No newline at end of file diff --git a/infra/configure_k8s_admin_config/deploy.sh b/infra/configure_k8s_admin_config/deploy.sh new file mode 100755 index 0000000..597289a --- /dev/null +++ b/infra/configure_k8s_admin_config/deploy.sh @@ -0,0 +1,35 @@ +#!/bin/bash +# ============LICENSE_START======================================================= +# Copyright (C) 2021 The Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +set -o errexit +set -o nounset +set -o pipefail + +#------------------------------------------------------------------------------- +# Configure k8s admin config in Jumphost +#------------------------------------------------------------------------------- +echo "Info: Configuring k8s admin config in Jumphost" +echo "-------------------------------------------------------------------------" + +export INVENTORY_FILE="${INVENTORY_FILE:-/tmp/inventory.ini}" + +ansible-playbook -i "$INVENTORY_FILE" playbooks/configure-k8s-admin-config.yaml + + +# vim: set ts=2 sw=2 expandtab: \ No newline at end of file diff --git a/infra/configure_k8s_admin_config/playbooks/configure-k8s-admin-config.yaml b/infra/configure_k8s_admin_config/playbooks/configure-k8s-admin-config.yaml new file mode 100644 index 0000000..1472c5f --- /dev/null +++ b/infra/configure_k8s_admin_config/playbooks/configure-k8s-admin-config.yaml @@ -0,0 +1,31 @@ +--- +# ============LICENSE_START======================================================= +# Copyright (C) 2021 The Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +- hosts: jumphost + gather_facts: true + become: false + + tasks: + - name: Configure k8s admin config in jumphost + include_role: + name: configure-k8s-admin-config + tasks_from: configure-jumphost.yaml + + +# vim: set ts=2 sw=2 expandtab: \ No newline at end of file diff --git a/infra/configure_k8s_admin_config/playbooks/roles/configure-k8s-admin-config/tasks/configure-jumphost.yaml b/infra/configure_k8s_admin_config/playbooks/roles/configure-k8s-admin-config/tasks/configure-jumphost.yaml new file mode 100644 index 0000000..0b4feea --- /dev/null +++ b/infra/configure_k8s_admin_config/playbooks/roles/configure-k8s-admin-config/tasks/configure-jumphost.yaml @@ -0,0 +1,73 @@ +--- +# ============LICENSE_START======================================================= +# Copyright (C) 2021 The Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +- name: Create '{{ admin_user_kube_dir }}' folder + file: + path: "{{ admin_user_kube_dir }}" + state: "{{ item }}" + owner: "{{ admin_user }}" + group: "{{ admin_user }}" + mode: 0700 + with_items: + - absent + - directory + +- name: Copy kubernetes admin.conf to '{{ admin_user_kube_dir }}' + copy: + src: "{{ k8s_admin_conf }}" + dest: "{{ admin_user_kube_dir }}/config" + owner: "{{ admin_user }}" + group: "{{ admin_user }}" + mode: 0644 + +- name: Download kubectl and place it to /usr/local/bin + get_url: + url: "{{ kubectl_download_url }}" + dest: /usr/local/bin/kubectl + owner: root + group: root + mode: 0755 + +- name: Download helm client + unarchive: + src: "{{ helm_client_download_url }}" + dest: /tmp + remote_src: true + +- name: Place helm binary to /usr/local/bin + copy: + src: "/tmp/linux-amd64/{{ item }}" + dest: "/usr/local/bin/{{ item }}" + remote_src: true + owner: root + group: root + mode: 0755 + with_items: + - helm + +- name: Delete temporary files and folders + file: + path: "{{ item }}" + state: absent + with_items: + - "/tmp/helm-{{ helm_version }}-linux-amd64.tar.gz" + - "/tmp/linux-amd64" + + +# vim: set ts=2 sw=2 expandtab: \ No newline at end of file diff --git a/infra/configure_k8s_admin_config/playbooks/roles/configure-k8s-admin-config/vars/main.yaml b/infra/configure_k8s_admin_config/playbooks/roles/configure-k8s-admin-config/vars/main.yaml new file mode 100644 index 0000000..ede070e --- /dev/null +++ b/infra/configure_k8s_admin_config/playbooks/roles/configure-k8s-admin-config/vars/main.yaml @@ -0,0 +1,42 @@ +--- +# ============LICENSE_START======================================================= +# Copyright (C) 2021 The Nordix Foundation. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +# ------------------------------------------------------------------------------- +# Kubernetes: Kubernetes and kubectl versions +# ------------------------------------------------------------------------------- +# Kubernetes version that is supported by the pinned kubespray version +kubernetes_version: "v1.18.5" +# version of the kubectl should generally match to the version of kubernetes itself +# but it would be good to have possibility to override it in case if someone needs it for some reason +kubectl_version: "{{ kubernetes_version }}" +kubectl_download_url: "https://storage.googleapis.com/kubernetes-release/release/{{ kubectl_version }}/bin/linux/amd64/kubectl" + +# ------------------------------------------------------------------------------- +# Kubernetes: App versions +# ------------------------------------------------------------------------------- +helm_version: "v3.5.0" +helm_client_download_url: "https://get.helm.sh/helm-{{ helm_version }}-linux-amd64.tar.gz" + +# ------------------------------------------------------------------------------- +# Setup k8s admin config +# ------------------------------------------------------------------------------- +engine_cache: '/opt/engine/.cache' +k8s_admin_conf: "{{ engine_cache }}/repos/kubespray/inventory/engine/artifacts/admin.conf" +admin_user: 'nordix' +admin_user_kube_dir: "/home/{{ admin_user }}/.kube" \ No newline at end of file -- 2.25.1