Created
March 2, 2018 12:19
-
-
Save ikurni/c628ddd8efe6d1a03bbca41a1d8929ae to your computer and use it in GitHub Desktop.
OCP Post Install scripts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
- name: perform postinstallation steps | |
hosts: masters[0] | |
tasks: | |
- block: | |
- name: create yaml for cassandra pv | |
copy: | |
content: | | |
apiVersion: v1 | |
kind: PersistentVolume | |
metadata: | |
name: cassandra-1 | |
spec: | |
capacity: | |
storage: 100G | |
accessModes: | |
- ReadWriteOnce | |
hostPath: | |
path: /var/lib/cassandra | |
persistentVolumeReclaimPolicy: Recycle | |
dest: /root/pv-metrics-cassandra.yml | |
register: cassandra | |
- name: create cassandra pv | |
shell: oc create -f /root/pv-metrics-cassandra.yml | |
when: cassandra.changed | |
- name: create yaml for registry pv | |
copy: | |
content: | | |
apiVersion: v1 | |
kind: PersistentVolume | |
metadata: | |
name: registry-1 | |
spec: | |
capacity: | |
storage: 200G | |
accessModes: | |
- ReadWriteOnce | |
hostPath: | |
path: /var/lib/registry | |
persistentVolumeReclaimPolicy: Retain | |
dest: /root/pv-docker-registry.yml | |
register: registry | |
- name: create registry pv | |
shell: oc create -f /root/pv-docker-registry.yml | |
when: registry.changed | |
- name: patch docker-registry to use nfsnobody group | |
shell: > | |
oc patch dc docker-registry -n default -p | |
'{ | |
"spec":{ | |
"template":{ | |
"spec":{ | |
"securityContext":{ | |
"supplementalGroups":[65534] | |
} | |
} | |
} | |
} | |
}' | |
- name: create yaml for registry pvc | |
copy: | |
content: | | |
apiVersion: v1 | |
kind: PersistentVolumeClaim | |
metadata: | |
name: docker-registry-1 | |
spec: | |
resources: | |
requests: | |
storage: 200G | |
accessModes: | |
- ReadWriteOnce | |
dest: /root/pvc-docker-registry.yml | |
register: pvc | |
- name: claim registry pv | |
shell: oc create -n default -f /root/pvc-docker-registry.yml | |
when: pvc.changed | |
- name: patch docker-registry to use pvc | |
shell: > | |
oc volume dc docker-registry -n default | |
--add --overwrite --name=registry-storage | |
--type=persistentVolumeClaim --claim-name=docker-registry-1 | |
tags: | |
- pv | |
- block: | |
- name: label route | |
shell: oc label route {{ item.route }} -n {{ item.namespace }} route=public --overwrite | |
with_items: | |
- route: hawkular-metrics | |
namespace: openshift-infra | |
tags: | |
- route | |
- block: | |
- name: setup deployment prune cron job | |
cron: | |
name: deployments | |
hour: 4 | |
minute: 10 | |
job: /bin/oadm prune deployments --orphans --confirm | |
- name: setup build prune cron job | |
cron: | |
name: builds | |
hour: 4 | |
minute: 30 | |
job: /bin/oadm prune builds --orphans --confirm | |
- name: get service accounts | |
command: oc get sa -n default -o name | |
register: serviceaccounts | |
changed_when: false | |
- name: create service account pruner | |
command: oc create sa -n default pruner | |
when: '"serviceaccount/pruner" not in serviceaccounts.stdout_lines' | |
register: create | |
- name: grant image-pruner role to pruner | |
command: oadm policy add-cluster-role-to-user system:image-pruner system:serviceaccount:default:pruner | |
when: create.changed | |
- name: setup image prune cron job | |
cron: | |
name: images | |
hour: 4 | |
minute: 50 | |
job: '/bin/oadm --token=$(/bin/oc sa get-token pruner -n default) prune images --confirm' | |
tags: | |
- prune | |
- block: | |
- name: set public route label | |
shell: oc set env dc/router -n default ROUTE_LABELS="route=public" | |
- name: create private router | |
shell: oc adm router private-router --replicas=2 --selector="router=private" --labels="router=private" | |
- name: set private router certificates | |
shell: > | |
oc volume dc/private-router | |
--add --overwrite --name=server-certificate | |
--type=secret --secret-name=router-certs | |
tags: | |
- router | |
- name: implement log segregation | |
hosts: OSEv3 | |
tasks: | |
- block: | |
- name: redirect openshift related logs to its own log file | |
lineinfile: | |
path: /etc/rsyslog.conf | |
insertafter: 'imjournal.state$' | |
regexp: '/var/log/openshift$' | |
line: ':programname,ereregex,"openshift|docker|oci|etcd|openvswitch|ovs|dnsmasq" /var/log/openshift' | |
register: redirect | |
- name: prevent openshift related logs from being further processed | |
lineinfile: | |
path: /etc/rsyslog.conf | |
insertafter: '/var/log/openshift$' | |
regexp: '^& stop$' | |
line: '& stop' | |
register: drop | |
- name: restart rsyslog | |
systemd: | |
name: rsyslog | |
state: restarted | |
when: redirect.changed or drop.changed | |
- name: add openshift related log rotation | |
copy: | |
content: | | |
/var/log/openshift | |
{ | |
daily | |
rotate 2 | |
missingok | |
sharedscripts | |
postrotate | |
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true | |
endscript | |
} | |
dest: /etc/logrotate.d/openshift | |
owner: root | |
group: root | |
mode: 0644 | |
tags: | |
- log | |
- block: | |
- name: finalize dns setup | |
copy: | |
content: | | |
server=10.80.11.251 | |
server=10.80.3.254 | |
server=10.1.134.59 | |
address=/.apps.ocp.sq.com.sg/10.68.9.221 | |
dest: /etc/dnsmasq.d/sia-upstream.conf | |
owner: root | |
group: root | |
mode: 0644 | |
register: dnsmasq | |
- name: restart dnsmasq | |
systemd: | |
name: dnsmasq | |
state: restarted | |
when: dnsmasq.changed | |
tags: | |
- dns |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment