Role for deploying OpenShift master as part of OSBS - OpenShift build service, service for building layered Docker images.
It performs the necessary configuration OpenShift master, generates configuration for nodes, and opens/closes OpenShift firewall port. It also generates self-signed certificate that can be used by reverse proxy placed in front of the builder.
The node configuration directories are tarred and copied to the ansible host where the osbs-node role can use them.
This role is part of ansible-osbs playbook for deploying OpenShift build service. Please refer to that github repository for documentation and issue tracker.
Expose the OpenShift port to the outside world? Set this to false
when using
authenticating proxy on the localhost. Has no effect if osbs_manage_firewalld
is false
.
osbs_master_expose_port: true
Set to false if you don't use firewalld or do not want the playbook to modify it.
osbs_manage_firewalld: true
The osbs_nodes
is a list of FQDNs of OpenShift nodes for which configuration
will be generated. It is suggested that the nodes are part of an ansible group
and the variable is set to be group['your_node_group_name']
. By default it
contains only the master host, for easy one-host setup.
osbs_nodes: ["{{ inventory_hostname }}"]
Configuration for nodes is generated on the master and then saven on the ansible host to a directory where the osbs-node role can use them.
osbs_node_config_dir: openshift-node-configs
If you are using authenticating proxy, this role can generate a self-signed
certificate that the proxy can use to authenticate itself to OpenShift. The
proxy needs the certificate and the key concatenated in one file
(osbs_proxy_cert_file
). OpenShift needs to know the CA of the certificate,
which is configured in osbs_proxy_ca_file
and which is the same as the
certificate because it is self-signed.
osbs_proxy_cert_file: /etc/origin/proxy_selfsigned.crt
osbs_proxy_key_file: /etc/origin/proxy_selfsigned.key
osbs_proxy_certkey_file: /etc/httpd/openshift_proxy_certkey.crt
osbs_proxy_ca_file: /etc/origin/proxy_selfsigned.crt
OpenShift authorization policy - which users should be assigned the view
(read-only), osbs-builder (read-write), and cluster-admin (admin) roles. In
default configuration, everyone has read/write access. The authentication is
handled by the proxy - if you are not using it the everyone connecting from the
outside belongs to the system:unauthenticated
group.
Default setup:
osbs_readonly_users: []
osbs_readonly_groups: []
osbs_readwrite_users: []
osbs_readwrite_groups:
- system:authenticated
- system:unauthenticated
osbs_admin_users: []
osbs_admin_groups: []
Development with authenticating proxy:
osbs_readonly_users: []
osbs_readonly_groups: []
osbs_readwrite_users: []
osbs_readwrite_groups:
- system:authenticated
osbs_admin_users: []
osbs_admin_groups: []
Example production configuration with only one user starting the builds:
osbs_readonly_users: []
osbs_readonly_groups:
- system:authenticated
osbs_readwrite_groups: []
osbs_readwrite_users:
- kojibuilder
osbs_admin_users:
- [email protected]
- [email protected]
osbs_admin_groups: []
Limit on the number of running pods. Undefine or set to -1 to remove limit.
osbs_master_max_pods: 3
OpenShift master log level (0-5).
osbs_master_log_level: 3
Changing the auth provider.
# Specify different identity providers and options needed for the master-config
# template
#
# Currently supported options are:
# request_header
# htpasswd_provider
osbs_identity_provider: "request_header"
Options for the request_header auth type.
osbs_identity_request:
name: request_header
challenge: true
login: true
Options for the htpasswd_provider auth type. NOTE: You will need to create an
htpasswd file and place it in the location of provider_file
either by hand or
via an ansible task for hosts that require it.
osbs_identity_htpasswd:
name: htpasswd_provider
challenge: true
login: true
provider_file: /etc/openshift/htpasswd
Image garbage collection can be configured with following variables:
osbs_image_gc_high_threshold: 90
osbs_image_gc_low_threshold: 80
Deploy yum proxy from a docker image (disabled by default). Variable
osbs_yum_proxy_name
sets the name of the deploymentconfig/service OpenShift
objects.
osbs_yum_proxy_image: docker.io/vrutkovs/docker-squid
osbs_yum_proxy_name: yum-proxy
Docker is expected to be installed and configured (e.g. storage, insecure registries) on the remote host.
OpenShift is expected to be installed on the remote host. This can be accomplished by the install-openshift role.
Simple development deployment:
- hosts: builders
roles:
- install-openshift
- osbs-master
- osbs-node
- atomic-reactor
Deployment behind authentication proxy that only allows the kojibuilder user to start builds (and everyone to view them).
- hosts: builders
roles:
- install-openshift
- role: osbs-master
osbs_master_expose_port: false
osbs_readonly_users: []
osbs_readonly_groups:
- system:authenticated
- system:unauthenticated
osbs_readwrite_groups: []
osbs_readwrite_users:
- kojibuilder
osbs_admin_users: []
osbs_admin_groups: []
- osbs-node
- atomic-reactor
- role: osbs-proxy
osbs_proxy_type: kerberos
osbs_proxy_kerberos_keytab_file: /etc/HTTP-FQDN.EXAMPLE.COM.keytab
osbs_proxy_kerberos_realm: EXAMPLE.COM
osbs_proxy_ssl_cert_file: /etc/fqdn.example.com.crt
osbs_proxy_ssl_key_file: /etc/fqdn.example.com.key
osbs_proxy_ip_whitelist:
- subnet: 192.168.66.0/24
user: kojibuilder
Simple deployment with multiple nodes:
- hosts: all
roles:
- install-openshift
- hosts: masters
roles:
- role: osbs-master
osbs_nodes: "{{ groups['nodes'] }}"
- hosts: nodes
roles:
- osbs-node
- atomic-reactor
BSD
Martin Milata <[email protected]>