From 761acb63ea2095b632aab63bd6f3b03cc08f5c1a Mon Sep 17 00:00:00 2001 From: Johnathan Kupferer Date: Wed, 12 Jul 2023 15:06:46 -0400 Subject: [PATCH] CFME Playbook Integration Fixes * Fix to dynamically get user namespace name * Add creation of Identities * Exclude catalog and last_update from AnarchyGovernor __meta__ comparison * Dynamically get tower/controller secrets --- playbooks/service-destroy.yaml | 53 +++---------- playbooks/service-lifecycle.yaml | 52 +++---------- playbooks/service-provision.yaml | 111 +++++++++++++++++----------- playbooks/service-status.yaml | 36 ++------- playbooks/tasks/write-tower-rc.yaml | 37 ++++++++++ 5 files changed, 133 insertions(+), 156 deletions(-) create mode 100644 playbooks/tasks/write-tower-rc.yaml diff --git a/playbooks/service-destroy.yaml b/playbooks/service-destroy.yaml index d92faa2fc..2f191ce04 100644 --- a/playbooks/service-destroy.yaml +++ b/playbooks/service-destroy.yaml @@ -134,9 +134,12 @@ until: >- 'destroying' == r_subject.resources[0].spec.vars.current_state|default('') - - name: Save the tower job + - name: Set tower_host and tower_job set_fact: - tower_job: "{{ r_subject.resources[0].status.towerJobs.destroy.deployerJob }}" + tower_host: "{{ __anarchy_subject.status.towerJobs.destroy.towerHost }}" + tower_job: "{{ __anarchy_subject.status.towerJobs.destroy.deployerJob }}" + vars: + __anarchy_subject: "{{ r_subject.resources[0] }}" - name: Delete without resource claim when: resource_claim is undefined @@ -214,44 +217,12 @@ deployer_job != '' and deployer_job != subject.status.towerJobs.destroy.deployerJob | default('') - - name: Save the tower job + - name: Set tower_host and tower_job set_fact: - tower_job: "{{ r_subject.resources[0].status.towerJobs.destroy.deployerJob }}" - - - name: Get Tower credentials and access information - k8s_info: - kubeconfig: "{{ kubeconfig }}" - api_version: v1 - kind: Secret - namespace: "{{ anarchy_namespace }}" - name: babylon-tower - register: r_babylon_tower_secret - - - fail: - msg: "babylon-tower secret not found" - when: r_babylon_tower_secret.resources | length == 0 - - - set_fact: - babylon_tower_secret: "{{ r_babylon_tower_secret.resources[0] }}" - - - name: Save tower secret - set_fact: - tower_hostname: "{{ babylon_tower_secret.data.hostname | b64decode }}" - tower_user: "{{ babylon_tower_secret.data.user | b64decode }}" - tower_password: "{{ babylon_tower_secret.data.password | b64decode }}" - - - name: Create output_dir/secrets - file: - path: "{{ output_dir }}/secrets" - state: directory - mode: 0700 + tower_host: "{{ __anarchy_subject.status.towerJobs.destroy.towerHost }}" + tower_job: "{{ __anarchy_subject.status.towerJobs.destroy.deployerJob }}" + vars: + __anarchy_subject: "{{ r_subject.resources[0] }}" - - name: Write tower information to yaml file - copy: - dest: "{{ output_dir }}/secrets/tower.rc" - content: | - export TOWER_HOST="https://{{ tower_hostname }}" - export TOWER_VERIFY_SSL=false - export TOWER_USERNAME={{ tower_user | to_json }} - export TOWER_PASSWORD={{ tower_password | to_json }} - export TOWER_JOB={{ tower_job | to_json }} + - name: Write {{ output_dir }}/secrets/tower.rc + import_tasks: tasks/write-tower-rc.yaml diff --git a/playbooks/service-lifecycle.yaml b/playbooks/service-lifecycle.yaml index d3ca2242e..0e38bede2 100644 --- a/playbooks/service-lifecycle.yaml +++ b/playbooks/service-lifecycle.yaml @@ -203,25 +203,6 @@ vars: desired_state: "{{ desired_state }}" - - name: Get Tower credentials and access information - k8s_info: - kubeconfig: "{{ kubeconfig }}" - api_version: v1 - kind: Secret - namespace: "{{ anarchy_namespace }}" - name: babylon-tower - register: r_babylon_tower_secret - failed_when: >- - r_babylon_tower_secret.resources | length != 1 - - - name: Set tower_hostname, tower_user, and tower_password from babylon-tower secret - set_fact: - tower_hostname: "{{ _babylon_tower_secret.data.hostname | b64decode }}" - tower_user: "{{ _babylon_tower_secret.data.user | b64decode }}" - tower_password: "{{ _babylon_tower_secret.data.password | b64decode }}" - vars: - _babylon_tower_secret: "{{ r_babylon_tower_secret.resources[0] }}" - - name: Wait for the Tower deployerJob to start k8s_info: kubeconfig: "{{ kubeconfig }}" @@ -232,30 +213,17 @@ register: r_claim retries: "{{ wait_retries | default(30) }}" delay: 2 + vars: + __anarchy_subject: "{{ r_claim.resources[0].status.resources[0].state }}" until: >- - 'deployerJob' in ( - r_claim.resources[0].status.resources[0] - .state.status.towerJobs[_action] | default([]) - ) + 'deployerJob' in __anarchy_subject.status.towerJobs[_action] | default({}) - - name: Save Tower job + - name: Set tower_host and tower_job set_fact: - tower_job: >- - {{ r_claim.resources[0].status.resources[0] - .state.status.towerJobs[_action].deployerJob }} - - - name: Create output_dir/secrets - file: - path: "{{ output_dir }}/secrets" - state: directory - mode: 0700 + tower_host: "{{ __anarchy_subject.status.towerJobs[_action].towerHost }}" + tower_job: "{{ __anarchy_subject.status.towerJobs[_action].deployerJob }}" + vars: + __anarchy_subject: "{{ r_claim.resources[0].status.resources[0].state }}" - - name: Write tower information to yaml file - copy: - dest: "{{ output_dir }}/secrets/tower.rc" - content: | - export TOWER_HOST="https://{{ tower_hostname }}" - export TOWER_VERIFY_SSL=false - export TOWER_USERNAME={{ tower_user | to_json }} - export TOWER_PASSWORD={{ tower_password | to_json }} - export TOWER_JOB={{ tower_job | to_json }} + - name: Write {{ output_dir }}/secrets/tower.rc + import_tasks: tasks/write-tower-rc.yaml diff --git a/playbooks/service-provision.yaml b/playbooks/service-provision.yaml index 07ac9c766..b675104ea 100644 --- a/playbooks/service-provision.yaml +++ b/playbooks/service-provision.yaml @@ -15,12 +15,11 @@ cloudforms_username: CHANGEME # After that don't touch - user_namespace: user-{{ cloudforms_username | replace('_', '-') | replace('.', '-') }} catalog_item_name: "{{ account | replace('_', '-') }}.{{ catalog_item | lower | regex_replace('_', '-') }}.{{ catalog_stage }}" platform_url: "{% if 'OPENTLC' in platform %}https://labs.opentlc.com/{% else %}https://rhpds.redhat.com/{% endif %}" tasks: - - name: Git minimal facts + - name: Gather minimal facts ansible.builtin.setup: gather_subset: min @@ -72,11 +71,19 @@ # Check AnarchyGovernor vars that are not listed in params_to_variables check_governor_job_vars: >- {{ job_vars - | combine({"__meta__": pruned_meta}) + | combine({"__meta__": check_governor_pruned_meta}) | dict2items | json_query(filter_var_query) | items2dict }} + check_governor_pruned_meta: >- + {{ job_vars.__meta__ | dict2items | json_query(pruned_meta_query) | items2dict }} + check_params: >- + {{ vars.catalog_item_params + | combine({"__meta__": check_params_pruned_meta}) + }} + check_params_pruned_meta: >- + {{ vars.catalog_item_params.__meta__ | dict2items | json_query(pruned_meta_query) | items2dict }} filter_var_query: >- [?!contains(`{{ filter_var_list | to_json }}`, key)] filter_var_list: >- @@ -84,11 +91,11 @@ + ["agnosticv_meta"] }} job_vars: >- {{ r_governor.resources[0].spec.vars.job_vars | default({}) }} - pruned_meta: >- - {{ job_vars.__meta__ | dict2items | json_query("[?key != 'last_update']") | items2dict }} + pruned_meta_query: >- + [?!contains(['catalog','last_update'], key)] failed_when: >- r_governor.resources | length == 0 or - vars.catalog_item_params != vars.catalog_item_params | combine(check_governor_job_vars) + check_params != check_params | combine(check_governor_job_vars) until: r_governor is success delay: 5 retries: 60 @@ -123,6 +130,8 @@ kubeconfig: "{{ kubeconfig }}" definition: apiVersion: user.openshift.io/v1 + identities: + - cfme:{{ cloudforms_username }} kind: User metadata: labels: @@ -132,7 +141,7 @@ name: "{{ cloudforms_username }}" register: r_user_created - - name: Update last-login annotation {{ cloudforms_username }} + - name: Update last-login annotation and identities for {{ cloudforms_username }} when: r_user.resources | length > 0 k8s: api_version: user.openshift.io/v1 @@ -140,22 +149,63 @@ kubeconfig: "{{ kubeconfig }}" name: "{{ cloudforms_username }}" definition: + identities: + - cfme:{{ cloudforms_username }} metadata: annotations: demo.redhat.com/last-login: "{{ now(true, '%FT%TZ') }}" - - name: Wait for namespace {{ user_namespace }} creation + - name: Set user_uid + set_fact: + user_uid: >- + {%- if r_user.resources | length > 0 -%} + {{ r_user.resources[0].metadata.uid }} + {%- else -%} + {{ r_user_created.result.metadata.uid }} + {%- endif -%} + + - name: Check if identity cfme:{{ cloudforms_username }} exists + k8s_info: + kubeconfig: "{{ kubeconfig }}" + api_version: user.openshift.io/v1 + kind: Identity + name: cfme:{{ cloudforms_username }} + register: r_identity + + - name: Create identity cfme:{{ cloudforms_username }} + when: r_identity.resources | length == 0 + k8s: + kubeconfig: "{{ kubeconfig }}" + definition: + apiVersion: user.openshift.io/v1 + extra: + email: "{{ cloudforms_useremail }}" + kind: Identity + metadata: + name: cfme:{{ cloudforms_username }} + providerName: cfme + providerUserName: "{{ cloudforms_username }}" + user: + name: "{{ cloudforms_username }}" + uid: "{{ user_uid }}" + + - name: Wait for namespace creation for {{ cloudforms_username }}} k8s_info: kubeconfig: "{{ kubeconfig }}" api_version: v1 kind: Namespace - name: "{{ user_namespace }}" + label_selectors: + - usernamespace.gpte.redhat.com/user-uid={{ user_uid }} register: r_user_namespace failed_when: r_user_namespace.resources | length < 1 until: r_user_namespace is successful retries: 10 delay: 3 + - name: Set user_namespace + set_fact: + user_namespace: "{{ r_user_namespace.resources[0].metadata.name }}" + - name: Grant babylon-user-service-access for {{ cloudforms_username }} in namespace k8s: kubeconfig: "{{ kubeconfig }}" @@ -447,39 +497,12 @@ babylon.currentState: {{ r_claim.resources[0].status.resources[0].state.spec.vars.current_state }} - - name: Get Tower credentials and access information - k8s_info: - kubeconfig: "{{ kubeconfig }}" - api_version: v1 - kind: Secret - namespace: "{{ anarchy_namespace }}" - name: babylon-tower - register: r_babylon_tower_secret - - - name: Fail if babylon-tower secret not found - fail: - msg: "babylon-tower secret not found" - when: r_babylon_tower_secret.resources | length == 0 - - - name: Create output_dir/secrets - file: - path: "{{ output_dir }}/secrets" - state: directory - mode: u=rwx,go= - - - name: Write tower information to yaml file + - name: Set tower_host and tower_job + set_fact: + tower_host: "{{ __anarchy_subject.status.towerJobs.provision.towerHost }}" + tower_job: "{{ __anarchy_subject.status.towerJobs.provision.deployerJob }}" vars: - babylon_tower_secret: "{{ r_babylon_tower_secret.resources[0] }}" - tower_hostname: "{{ babylon_tower_secret.data.hostname | b64decode }}" - tower_user: "{{ babylon_tower_secret.data.user | b64decode }}" - tower_password: "{{ babylon_tower_secret.data.password | b64decode }}" - tower_job: >- - {{ r_claim.resources[0].status.resources[0].state.status.towerJobs.provision.deployerJob }} - copy: - dest: "{{ output_dir }}/secrets/tower.rc" - content: | - export TOWER_HOST={{ ("https://" ~ tower_hostname) | quote }} - export TOWER_VERIFY_SSL=false - export TOWER_USERNAME={{ tower_user | quote }} - export TOWER_PASSWORD={{ tower_password | quote }} - export TOWER_JOB={{ tower_job | quote }} + __anarchy_subject: "{{ r_claim.resources[0].status.resources[0].state }}" + + - name: Write {{ output_dir }}/secrets/tower.rc + import_tasks: tasks/write-tower-rc.yaml diff --git a/playbooks/service-status.yaml b/playbooks/service-status.yaml index 2e2819eed..ab8e7ee0f 100644 --- a/playbooks/service-status.yaml +++ b/playbooks/service-status.yaml @@ -182,27 +182,15 @@ __status_complete_timestamp != '' and __status_complete_timestamp != previous_status_complete_timestamp - - name: Get Tower credentials and access information - k8s_info: - kubeconfig: "{{ kubeconfig }}" - api_version: v1 - kind: Secret - namespace: "{{ anarchy_namespace }}" - name: babylon-tower - register: r_babylon_tower_secret - failed_when: >- - r_babylon_tower_secret.resources | length != 1 - - - name: Set tower_hostname, tower_user, and tower_password from babylon-tower secret + - name: Set tower_host and tower_job set_fact: - tower_hostname: "{{ __babylon_tower_secret.data.hostname | b64decode }}" - tower_user: "{{ __babylon_tower_secret.data.user | b64decode }}" - tower_password: "{{ __babylon_tower_secret.data.password | b64decode }}" - tower_job: "{{ __subject.status.towerJobs.status.deployerJob }}" + tower_host: "{{ __anarchy_subject.status.towerJobs[_action].towerHost }}" + tower_job: "{{ __anarchy_subject.status.towerJobs[_action].deployerJob }}" vars: - __babylon_tower_secret: "{{ r_babylon_tower_secret.resources[0] }}" - __resource_claim: "{{ r_claim.resources[0] }}" - __subject: "{{ __resource_claim.status.resources[0].state }}" + __anarchy_subject: "{{ r_claim.resources[0].status.resources[0].state }}" + + - name: Write {{ output_dir }}/secrets/tower.rc + import_tasks: tasks/write-tower-rc.yaml - name: Write status.txt copy: @@ -212,13 +200,3 @@ vars: __resource_claim: "{{ r_claim.resources[0] }}" __subject: "{{ __resource_claim.status.resources[0].state }}" - - - name: Write tower information to yaml file - copy: - dest: "{{ output_dir }}/secrets/tower.rc" - content: | - export TOWER_HOST="https://{{ tower_hostname }}" - export TOWER_VERIFY_SSL=false - export TOWER_USERNAME={{ tower_user | to_json }} - export TOWER_PASSWORD={{ tower_password | to_json }} - export TOWER_JOB={{ tower_job | to_json }} diff --git a/playbooks/tasks/write-tower-rc.yaml b/playbooks/tasks/write-tower-rc.yaml new file mode 100644 index 000000000..020a65d48 --- /dev/null +++ b/playbooks/tasks/write-tower-rc.yaml @@ -0,0 +1,37 @@ +--- +- name: Get Tower credentials and access information + k8s_info: + kubeconfig: "{{ kubeconfig }}" + api_version: v1 + kind: Secret + label_selectors: + - babylon.gpte.redhat.com/ansible-control-plane={{ tower_host }} + namespace: "{{ anarchy_namespace }}" + register: r_babylon_tower_secret + +- name: Fail if babylon-tower secret not found + fail: + msg: "{{ tower_host }} secret not found" + when: r_babylon_tower_secret.resources | length == 0 + +- name: Create output_dir/secrets + file: + path: "{{ output_dir }}/secrets" + state: directory + mode: u=rwx,go= + +- name: Write tower information to yaml file + vars: + babylon_tower_secret: "{{ r_babylon_tower_secret.resources[0] }}" + tower_hostname: "{{ babylon_tower_secret.data.hostname | b64decode }}" + tower_user: "{{ babylon_tower_secret.data.user | b64decode }}" + tower_password: "{{ babylon_tower_secret.data.password | b64decode }}" + copy: + dest: "{{ output_dir }}/secrets/tower.rc" + content: | + export TOWER_HOST={{ ("https://" ~ tower_hostname) | quote }} + export TOWER_VERIFY_SSL=false + export TOWER_USERNAME={{ tower_user | quote }} + export TOWER_PASSWORD={{ tower_password | quote }} + export TOWER_JOB={{ tower_job | quote }} +...