diff --git a/galaxy.yml b/galaxy.yml index 3bc8832..f21fbd3 100644 --- a/galaxy.yml +++ b/galaxy.yml @@ -24,10 +24,11 @@ tags: dependencies: ansible.posix: ">=1.0.0" + community.crypto: ">=2.0.0" repository: https://github.com/agnosticd/osp-on-ocp documentation: https://github.com/agnosticd/osp-on-ocp homepage: https://github.com/agnosticd/osp-on-ocp issues: https://github.com/agnosticd/osp-on-ocp/issues -build_ignore: [] \ No newline at end of file +build_ignore: [] diff --git a/roles/ocp4_workload_rhoso_deployment/defaults/main.yml b/roles/ocp4_workload_rhoso_deployment/defaults/main.yml index a0dac06..82c9602 100644 --- a/roles/ocp4_workload_rhoso_deployment/defaults/main.yml +++ b/roles/ocp4_workload_rhoso_deployment/defaults/main.yml @@ -19,12 +19,23 @@ ocp4_workload_rhoso_deployment_guid: "{{ guid }}" ocp4_workload_rhoso_deployment_bastion_ssh_private_key: "{{ bastion_ssh_key_path | default('~/.ssh/bastion_' ~ guid) }}" ocp4_workload_rhoso_deployment_bastion_ssh_public_key: "{{ bastion_ssh_pubkey_path | default('~/.ssh/bastion_' ~ guid ~ '.pub') }}" +# ============================================================================ +# Inventory hostnames — must match what AgnosticD sets in add_host +# ============================================================================ +ocp4_workload_rhoso_deployment_nfs_host: "nfsserver" +ocp4_workload_rhoso_deployment_compute_host: "compute01" + # ============================================================================ # Content files — OpenStack YAML manifests shipped in the role's files/ dir. # The role copies these to a working directory on the bastion, then applies them. # ============================================================================ ocp4_workload_rhoso_deployment_files_directory: "openstack-files" +# Full working directory path on the bastion. +# Uses /tmp to ensure it is writable by any SSH connection user. +# Override to use a different absolute path. +ocp4_workload_rhoso_deployment_workdir: "/tmp/{{ ocp4_workload_rhoso_deployment_files_directory }}" + # Manifest files shipped under roles/ocp4_workload_rhoso_deployment/files/ ocp4_workload_rhoso_deployment_content_files: - osp-ng-nncp-w1.yaml diff --git a/roles/ocp4_workload_rhoso_deployment/handlers/main.yml b/roles/ocp4_workload_rhoso_deployment/handlers/main.yml index e0ed1cc..d0e4ecf 100644 --- a/roles/ocp4_workload_rhoso_deployment/handlers/main.yml +++ b/roles/ocp4_workload_rhoso_deployment/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: Restart nfs-server ansible.builtin.raw: systemctl restart nfs-server - delegate_to: nfs-server + delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" become: true diff --git a/roles/ocp4_workload_rhoso_deployment/tasks/control_plane.yml b/roles/ocp4_workload_rhoso_deployment/tasks/control_plane.yml index 46c6feb..ac34e2f 100644 --- a/roles/ocp4_workload_rhoso_deployment/tasks/control_plane.yml +++ b/roles/ocp4_workload_rhoso_deployment/tasks/control_plane.yml @@ -1,7 +1,7 @@ --- - name: Read Cinder NFS configuration file ansible.builtin.slurp: - src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/nfs-cinder-conf" + src: "{{ ocp4_workload_rhoso_deployment_workdir }}/nfs-cinder-conf" register: _ocp4_workload_rhoso_deployment_nfs_cinder_conf delegate_to: bastion @@ -33,7 +33,7 @@ - name: Create OpenStack Control Plane kubernetes.core.k8s: state: present - src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-ctlplane-deploy.yaml" + src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-ctlplane-deploy.yaml" retries: 5 delay: 10 delegate_to: bastion diff --git a/roles/ocp4_workload_rhoso_deployment/tasks/data_plane.yml b/roles/ocp4_workload_rhoso_deployment/tasks/data_plane.yml index 7c2b748..92275a4 100644 --- a/roles/ocp4_workload_rhoso_deployment/tasks/data_plane.yml +++ b/roles/ocp4_workload_rhoso_deployment/tasks/data_plane.yml @@ -2,13 +2,13 @@ - name: Apply data plane network configuration kubernetes.core.k8s: state: present - src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-dataplane-netconfig.yaml" + src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-dataplane-netconfig.yaml" delegate_to: bastion - name: Set hostname for compute node ansible.builtin.hostname: name: "{{ ocp4_workload_rhoso_deployment_compute_nodes[0].hostname }}" - delegate_to: compute01 + delegate_to: "{{ ocp4_workload_rhoso_deployment_compute_host }}" become: true - name: Configure static eth1 interface for control plane @@ -17,7 +17,7 @@ nmcli con add con-name "static-eth1" ifname eth1 type ethernet ip4 {{ ocp4_workload_rhoso_deployment_compute_nodes[0].ctlplane_ip }}/24 ipv4.dns "172.22.0.89" - delegate_to: compute01 + delegate_to: "{{ ocp4_workload_rhoso_deployment_compute_host }}" become: true register: _ocp4_workload_rhoso_deployment_compute_eth1 changed_when: >- @@ -30,7 +30,7 @@ - name: Activate static-eth1 connection on compute ansible.builtin.command: cmd: nmcli con up "static-eth1" - delegate_to: compute01 + delegate_to: "{{ ocp4_workload_rhoso_deployment_compute_host }}" become: true changed_when: true @@ -39,7 +39,7 @@ cmd: >- nmcli con add con-name "eth0-dhcp" ifname eth0 type ethernet ipv4.method auto ipv6.method ignore - delegate_to: compute01 + delegate_to: "{{ ocp4_workload_rhoso_deployment_compute_host }}" become: true register: _ocp4_workload_rhoso_deployment_compute_eth0 changed_when: >- @@ -52,14 +52,14 @@ - name: Activate eth0-dhcp connection on compute ansible.builtin.command: cmd: nmcli con up "eth0-dhcp" - delegate_to: compute01 + delegate_to: "{{ ocp4_workload_rhoso_deployment_compute_host }}" become: true changed_when: true - name: Set stable ID for eth0 connection on compute ansible.builtin.command: cmd: nmcli con mod eth0-dhcp connection.stable-id user-set - delegate_to: compute01 + delegate_to: "{{ ocp4_workload_rhoso_deployment_compute_host }}" become: true changed_when: true @@ -90,7 +90,7 @@ - name: Generate nova migration SSH key pair community.crypto.openssh_keypair: - path: "{{ ansible_env.HOME }}/nova-migration-key" + path: "{{ ocp4_workload_rhoso_deployment_workdir }}/nova-migration-key" type: ecdsa size: 521 force: false @@ -101,8 +101,8 @@ src: "{{ item }}" register: _ocp4_workload_rhoso_deployment_nova_keys loop: - - "{{ ansible_env.HOME }}/nova-migration-key" - - "{{ ansible_env.HOME }}/nova-migration-key.pub" + - "{{ ocp4_workload_rhoso_deployment_workdir }}/nova-migration-key" + - "{{ ocp4_workload_rhoso_deployment_workdir }}/nova-migration-key.pub" delegate_to: bastion - name: Create nova migration SSH key secret @@ -193,7 +193,7 @@ - name: Apply data plane node set kubernetes.core.k8s: state: present - src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-dataplane-node-set-deploy.yaml" + src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-dataplane-node-set-deploy.yaml" retries: 5 delay: 10 delegate_to: bastion @@ -201,7 +201,7 @@ - name: Apply data plane deployment kubernetes.core.k8s: state: present - src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-dataplane-deployment.yaml" + src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-dataplane-deployment.yaml" retries: 5 delay: 10 delegate_to: bastion @@ -236,7 +236,7 @@ - name: Display Data Plane Deployment status ansible.builtin.debug: - msg: | + msg: |- === OpenStack Data Plane Deployment Status === Message: {{ _ocp4_workload_rhoso_deployment_dp_status.resources[0].status.get('message', 'No message') }} Conditions: {{ _ocp4_workload_rhoso_deployment_dp_status.resources[0].status.get('conditions', []) | map(attribute='type') | list }} diff --git a/roles/ocp4_workload_rhoso_deployment/tasks/install_operators.yml b/roles/ocp4_workload_rhoso_deployment/tasks/install_operators.yml index 53c0844..4796a74 100644 --- a/roles/ocp4_workload_rhoso_deployment/tasks/install_operators.yml +++ b/roles/ocp4_workload_rhoso_deployment/tasks/install_operators.yml @@ -1,7 +1,7 @@ --- - name: Create working directory for OpenStack files ansible.builtin.file: - path: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}" + path: "{{ ocp4_workload_rhoso_deployment_workdir }}" state: directory mode: "0755" delegate_to: bastion @@ -9,7 +9,7 @@ - name: Copy OpenStack configuration files to working directory ansible.builtin.copy: src: "{{ item }}" - dest: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/{{ item }}" + dest: "{{ ocp4_workload_rhoso_deployment_workdir }}/{{ item }}" mode: "0644" loop: "{{ ocp4_workload_rhoso_deployment_content_files }}" delegate_to: bastion @@ -32,7 +32,7 @@ - name: Replace UUID placeholder with guid in manifest files ansible.builtin.replace: - path: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/{{ item }}" + path: "{{ ocp4_workload_rhoso_deployment_workdir }}/{{ item }}" regexp: "UUID" replace: "{{ ocp4_workload_rhoso_deployment_guid }}" loop: "{{ ocp4_workload_rhoso_deployment_uuid_replacement_files }}" @@ -40,7 +40,7 @@ - name: Replace external IP placeholders for worker nodes ansible.builtin.replace: - path: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/{{ item.file }}" + path: "{{ ocp4_workload_rhoso_deployment_workdir }}/{{ item.file }}" regexp: "{{ item.placeholder }}" replace: "{{ item.value }}" loop: @@ -58,7 +58,7 @@ - name: Apply OpenStack operator OperatorGroup and Subscription kubernetes.core.k8s: state: present - src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-openstack-operator.yaml" + src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-openstack-operator.yaml" delegate_to: bastion - name: Wait for OpenStack operator install plan @@ -114,7 +114,7 @@ - name: Initialize the OpenStack operator kubernetes.core.k8s: state: present - src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-openstack-operator-init.yaml" + src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-openstack-operator-init.yaml" delegate_to: bastion - name: Wait for OpenStack operator to be ready diff --git a/roles/ocp4_workload_rhoso_deployment/tasks/network_isolation.yml b/roles/ocp4_workload_rhoso_deployment/tasks/network_isolation.yml index fc86b90..cbf5cd0 100644 --- a/roles/ocp4_workload_rhoso_deployment/tasks/network_isolation.yml +++ b/roles/ocp4_workload_rhoso_deployment/tasks/network_isolation.yml @@ -2,19 +2,19 @@ - name: Apply NodeNetworkConfigurationPolicy for worker node 1 kubernetes.core.k8s: state: present - src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-nncp-w1.yaml" + src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-nncp-w1.yaml" delegate_to: bastion - name: Apply NodeNetworkConfigurationPolicy for worker node 2 kubernetes.core.k8s: state: present - src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-nncp-w2.yaml" + src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-nncp-w2.yaml" delegate_to: bastion - name: Apply NodeNetworkConfigurationPolicy for worker node 3 kubernetes.core.k8s: state: present - src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-nncp-w3.yaml" + src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-nncp-w3.yaml" delegate_to: bastion - name: Wait for all NNCPs to be created @@ -55,7 +55,7 @@ - name: Apply NetworkAttachmentDefinitions for isolated networks kubernetes.core.k8s: state: present - src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-netattach.yaml" + src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-netattach.yaml" delegate_to: bastion - name: Wait for MetalLB additional CRDs @@ -75,7 +75,7 @@ - name: Apply MetalLB IP address pools kubernetes.core.k8s: state: present - src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-metal-lb-ip-address-pools.yaml" + src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-metal-lb-ip-address-pools.yaml" retries: 5 delay: 10 delegate_to: bastion @@ -83,7 +83,7 @@ - name: Apply MetalLB L2 advertisements kubernetes.core.k8s: state: present - src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-metal-lb-l2-advertisements.yaml" + src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-metal-lb-l2-advertisements.yaml" retries: 5 delay: 10 delegate_to: bastion diff --git a/roles/ocp4_workload_rhoso_deployment/tasks/nfs_server.yml b/roles/ocp4_workload_rhoso_deployment/tasks/nfs_server.yml index e5e6872..0f9cf4e 100644 --- a/roles/ocp4_workload_rhoso_deployment/tasks/nfs_server.yml +++ b/roles/ocp4_workload_rhoso_deployment/tasks/nfs_server.yml @@ -9,7 +9,7 @@ {{ ocp4_workload_rhoso_deployment_nfs_cinder_path }} {{ ocp4_workload_rhoso_deployment_nfs_glance_path }} {{ ocp4_workload_rhoso_deployment_nfs_aap_path }} - delegate_to: nfs-server + delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" become: true changed_when: true @@ -20,7 +20,7 @@ {{ ocp4_workload_rhoso_deployment_nfs_glance_path }} *(rw,sync,no_root_squash) {{ ocp4_workload_rhoso_deployment_nfs_aap_path }} *(rw,sync,no_root_squash) EXPORTS - delegate_to: nfs-server + delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" become: true changed_when: true notify: Restart nfs-server @@ -30,31 +30,31 @@ nmcli con show "static-eth1" 2>/dev/null || nmcli con add con-name "static-eth1" ifname eth1 type ethernet ip4 {{ ocp4_workload_rhoso_deployment_nfs_server_ip }}/24 - delegate_to: nfs-server + delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" become: true changed_when: true - name: Activate static network connection on NFS server ansible.builtin.raw: nmcli con up "static-eth1" - delegate_to: nfs-server + delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" become: true changed_when: true - name: Start and enable NFS server ansible.builtin.raw: systemctl enable --now nfs-server - delegate_to: nfs-server + delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" become: true changed_when: true - name: Export NFS shares ansible.builtin.raw: exportfs -ra - delegate_to: nfs-server + delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" become: true changed_when: true - name: Verify NFS exports ansible.builtin.raw: exportfs -v - delegate_to: nfs-server + delegate_to: "{{ ocp4_workload_rhoso_deployment_nfs_host }}" become: true register: _ocp4_workload_rhoso_deployment_nfs_exports changed_when: false diff --git a/roles/ocp4_workload_rhoso_deployment/tasks/remove_workload.yml b/roles/ocp4_workload_rhoso_deployment/tasks/remove_workload.yml index fcc2669..1163b97 100644 --- a/roles/ocp4_workload_rhoso_deployment/tasks/remove_workload.yml +++ b/roles/ocp4_workload_rhoso_deployment/tasks/remove_workload.yml @@ -101,7 +101,7 @@ - name: Clean up working directory on bastion ansible.builtin.file: - path: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}" + path: "{{ ocp4_workload_rhoso_deployment_workdir }}" state: absent delegate_to: bastion diff --git a/roles/ocp4_workload_rhoso_deployment/tasks/security.yml b/roles/ocp4_workload_rhoso_deployment/tasks/security.yml index 24f3ff2..253e166 100644 --- a/roles/ocp4_workload_rhoso_deployment/tasks/security.yml +++ b/roles/ocp4_workload_rhoso_deployment/tasks/security.yml @@ -2,7 +2,7 @@ - name: Create OpenStack control plane secret kubernetes.core.k8s: state: present - src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-ctlplane-secret.yaml" + src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-ctlplane-secret.yaml" delegate_to: bastion - name: Verify osp-secret was created @@ -18,7 +18,7 @@ - name: Create libvirt secret kubernetes.core.k8s: state: present - src: "{{ ansible_env.HOME }}/{{ ocp4_workload_rhoso_deployment_files_directory }}/osp-ng-libvirt-secret.yaml" + src: "{{ ocp4_workload_rhoso_deployment_workdir }}/osp-ng-libvirt-secret.yaml" delegate_to: bastion - name: Verify libvirt-secret was created diff --git a/roles/ocp4_workload_rhoso_deployment/tasks/setup_hosts.yml b/roles/ocp4_workload_rhoso_deployment/tasks/setup_hosts.yml new file mode 100644 index 0000000..66f5e55 --- /dev/null +++ b/roles/ocp4_workload_rhoso_deployment/tasks/setup_hosts.yml @@ -0,0 +1,24 @@ +--- +# AgnosticD excludes isolated VMs from direct SSH plays (hosts: all:!isolated) +# so no SSH proxy is configured for them in the EE inventory. +# We configure the proxy here using variables AgnosticD already sets: +# public_ip_address: bastion external SSH hostname +# bastion_ssh_port: bastion NodePort +# ansible_user: cloud-user +# +# ProxyCommand (not ProxyJump) is used so that -o StrictHostKeyChecking=no +# and -o UserKnownHostsFile=/dev/null apply to BOTH the bastion hop and +# the final VM connection, preventing interactive host-key prompts in AAP. + +- name: Configure isolated VM connections via bastion ProxyCommand + ansible.builtin.add_host: + name: "{{ item }}" + ansible_ssh_common_args: >- + -o StrictHostKeyChecking=no + -o UserKnownHostsFile=/dev/null + -o "ProxyCommand=ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null + -W %h:%p -p {{ hostvars[item]['bastion_ssh_port'] }} + {{ hostvars[item]['ansible_user'] | default('cloud-user') }}@{{ hostvars[item]['public_ip_address'] }}" + loop: + - "{{ ocp4_workload_rhoso_deployment_nfs_host }}" + - "{{ ocp4_workload_rhoso_deployment_compute_host }}" diff --git a/roles/ocp4_workload_rhoso_deployment/tasks/workload.yml b/roles/ocp4_workload_rhoso_deployment/tasks/workload.yml index 43cde98..8440fdc 100644 --- a/roles/ocp4_workload_rhoso_deployment/tasks/workload.yml +++ b/roles/ocp4_workload_rhoso_deployment/tasks/workload.yml @@ -1,4 +1,7 @@ --- +- name: Set up bastion ProxyCommand for isolated VM connections + ansible.builtin.include_tasks: setup_hosts.yml + - name: Prerequisites — install NMState, MetalLB, verify cert-manager ansible.builtin.include_tasks: prerequisites.yml when: ocp4_workload_rhoso_deployment_phase_prerequisites | bool