sudo dnf install ansible-core wget ssh-keygen -t ed25519 cat ~/.ssh/id_ed25519.pub
Go to github settings and add ssh pub key
Fix ssh config
cat ~/.ssh/config HostName github.com IdentityFile ~/.ssh/id_ed25519
chmod 0600 ~/.ssh/conig mkdir -p ~/redhat/ocpv4/git && cd ~/redhat/ocpv4/git/ git clone [email protected]:sullyvon/ocpv4-deployment-tam.git #this should go into the staging software playbook sudo curl -sSL -o /usr/local/bin/argocd https://github.com/argoproj/argo-cd/releases/latest/download/argocd-linux-amd64 sudo chmod +x /usr/local/bin/argocd
NOTE
For simplicity we demo this via ansible core but for an Enterprise environment Ansible Tower makes more sense
Stage OCPv4 CLI Tooling
cd ~/redhat/ocpv4/ocpv4-deployment-tam/common/playbooks ansible-playbook --connection=local --inventory 127.0.0.1, --limit 127.0.0.1 common-stage-ocpv4-software.yaml -e "becomemethod=sudo privileged_user=dsulliva ocpv4_version=4.10.12"
Generate Per Cluster SSH Key
cd ~/redhat/ocpv4/ocpv4-deployment-tam/common/playbooks ansible-playbook --connection=local --inventory 127.0.0.1, --limit 127.0.0.1 common-ssh-keygen.yml -e "cluster_id=dsulliva-hub01"
From the output you need to get the public key generated this will go into our cluster install-config.yaml
TASK [ssh-keygen : debug] *****************************************************************************************************************************************************************************************
ok: [127.0.0.1] => {
"msg": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCeDv8bR/y6W2gPonSUr9Vzn4YsxCm4d7yyODPGLinZooUbN9gvK3FAmOuamVgeF+nfrQv9wCPi7ifkFTIYi68G0SC77YYrrQXStUI2IvCZUXkBEO2B6H6PhQN//2FeXbV+2tx3OpAMt17DKhIWtbrAkNLo/Ra7SL9zO4c9RvRehnh/FpWQGRfY3djtEl+PrwG+Vbdt1by4e0v4MLO7CIaIuT0Mf4siuU33NGS81kIU5x82mXkpVHjslwcLqpr5E/L1qCWX6SJ3cgiGD9PvgCL1alvBKoPxhgkjMzcvUX2tuWFWpehqswblGb9UBOCOdPUg67CJjzYWSdNmApZzuSvmi3DOCrSidHGqqXbfcRSfluti3yQi7bbxDfBXbxN08iXHZjJke9GNPKNbhsKyvMnI5MY1X9oeUNIewSYbqykflyfjorOdirWBpgaGL/sCqQcvjytterLtLCGZjtLaYWPZfZLRluY8XEhQ7tGelXlf6JWT5YaTfqVZifpON25NQIYYKkivKcSeIBoH6tUaB+ggDdnuI2xT9i/uKIjMtoOOwMxfagIgRj1hkgbb29m8qj1nlBuGccDP/1bkVEMpt1JKXuCjvO6jxh+ncM6bGeRT8dcy6i7iPv4tI3n+H0qJ+mwbdYZRwozk7xcO39tDxe3ydCzfoKWbK0Qr2Jb7cn4tvQ== [email protected]"
}
Replace the sshKey field with one in msg output above
cd ~/redhat/ocpv4/git//ocpv4-deployment-tam/ vi dsulliva-hub01/config/install-config.yaml
Download Pull Secret and fix your pull secret
https://console.redhat.com/openshift/downloads #see Tokens section
download to ~/.docker/config.tmp and convert to ansible vaulted hash
cd ~/.docker/ [dsulliva@fancy .docker]$ cat config.tmp | ansible-vault encrypt_string #Do not forget the password you use here cd ~/redhat/ocpv4/git//ocpv4-deployment-tam/common/playbook mkdir vars vi dsulliva-hub01.yaml #add in pullsecret with reference to the encrypted vault hash
Install OpenShift Hub Cluster
cd ~/redhat/ocpv4/git/ocpv4-deployment-tam/common/playbooks ansible-playbook --ask-vault-pass --connection=local --inventory 127.0.0.1, --limit 127.0.0.1 common-install-ocpv4.yml -e "becomemethod=sudo privileged_user=dsulliva privileged_group=dsulliva ocpv4_version=4.10.12 cluster_id=dsulliva-hub01"
In another terminal
cd ~/dsulliva-hub01 ls -lrt #find the latest install file tail <latestinstallfile>
Run Post Configuration On Hub Cluster
cd ~/redhat/ocpv4/git/ocpv4-deployment-tam/common/playbooks ansible-playbook --connection=local --inventory 127.0.0.1, --limit 127.0.0.1 common-post-ocpv4-config.yml -e "becomemethod=sudo privileged_user=dsulliva privileged_group=dsulliva ocpv4_version=4.10.12 cluster_id=dsulliva-hub01 postconfig_mode=init ready_node_count=15 clustertype=hubextrh acm_managed_cluster=false openshift_gitops_endpoint=openshift-gitops-server-openshift-gitops.apps.dsulliva-hub01.sandbox517.opentlc.com openshift_gitops_gstnonprod_endpoint=openshift-gitops-gstnonprod-server-openshift-gitops.apps.dsulliva-hub01.sandbox517.opentlc.com"
While the above is running open another terminal
export KUBECONFIG=~/dsulliva-hub01/installocpv4/auth/kubeconfig cd ~/redhat/ocpv4/git/ocpv4-deployment-tam/scripts #we need to do this because all our operator Subscriptions are set to Manual approval bash approve_operator_ip.sh
This playbook/role has 4 main kustomize stages
-
Stage I does our machinesets and optionally mco chrony
Per code here
cd ~/redhat/ocpv4/git/ocpv4-deployment-tam/gitops/kustomize/dsulliva-hub01
To actively watch
watch -n 5 'oc get machines -n openshift-machine-api && oc get nodes'
We really want our machines online and time right before we start throw our operators on
-
Stage II does openshift-gitops operator and stages some namespaces
Another chicken and egg problem kind of need argocd up before you can deploy argocd applications
Per code here
cd ~/redhat/ocpv4/git/ocpv4-deployment-tam/gitops/kustomize/openshift-gitops-operator
-
Stage III does phase one of argocd/openshift-gitops applications
Per code here
cd ~/redhat/ocpv4/git/ocpv4-deployment-tam/gitops/applications/dsulliva-hub01
To actively follow
watch -n 5 'oc get pods -n openshift-storage && oc get pvc --all-namespaces'
-
Stage IV does phase two of the argocd/openshift-gitops applications
Per code here
cd ~/redhat/ocpv4/git/ocpv4-deployment-tam/gitops/applications/dsulliva-hub01/stage_two
watch -n 5 'oc get nodes'
Increase your timeout to help with slow/transient network issues
oc annotate route hub-registry-quay --overwrite haproxy.router.openshift.io/timeout=120s -n quay-enterprise
Create a vault encrypted password for quay use the same vault password you used for the pullsecret
echo -n "<fixme>" | ansible-vault encrypt_string
Run quay init playbook
cd ~/redhat/ocpv4/git/ocpv4-deployment-tam/common/playbooks ansible-playbook --ask-vault-pass --connection=local --inventory 127.0.0.1, --limit 127.0.0.1 common-post-hub-init-quayadmin-config.yml -e "becomemethod=sudo privileged_user=dsulliva privileged_group=dsulliva ocpv4_version=4.10.12 cluster_id=dsulliva-hub01 hubendpoint=hub-registry-quay-quay-enterprise.apps.dsulliva-hub01.sandbox517.opentlc.com"
-
Do some configuration in quay UI
-
Log in to the quay endpoint using quayadmin https://hubendpoint=hub-registry-quay-quay-enterprise.apps.dsulliva-hub01.sandbox517.opentlc.com
-
-
Create docker cli application token credentials named "quayadmin-docker"
-
https://hub-registry-quay-quay-enterprise.apps.dsulliva-hub01.sandbox517.opentlc.com/user/quayadmin?tab=settings click "Create Application Token"
-
-
On your build node where you are running your ansible-playbooks create a local docker config json for your privileged user and include the docker config json for the dsulliva-hub01 cluster and quayadmin creds
-
Update this file with those details /home/dsulliva/.docker/config.json
-
-
Update the build node ca relative to the dsulliva-hub01 self signed cert ca
-
Get the ca cert for the hub route (right now it’s the self signed ingress ca cert)
-
/home/dsulliva/4.10.12/oc get secret router-ca -n openshift-ingress-operator -o 'go-template={{index .data "tls.crt"}}' | base64 -d > dsulliva-hub01-ca.pem
-
sudo cp dsulliva-hub01-ca.pem /etc/pki/ca-trust/source/anchors/
-
sudo update-ca-trust extract
-
-
-
Run playbook "common-post-hub-mirror-ocpv4-release"
cd ~/redhat/ocpv4/git/ocpv4-deployment-tam/common/playbooks ansible-playbook --connection=local --inventory 127.0.0.1, --limit 127.0.0.1 common-post-hub-mirror-ocpv4-release.yml -e "becomemethod=sudo privileged_user=dsulliva privileged_group=dsulliva ocpv4_version=4.10.12 cluster_id=dsulliva-hub01 MIRROR_TO_REGISTRY=hub-registry-quay-quay-enterprise.apps.dsulliva-hub01.sandbox517.opentlc.com/ocpv4"
Generate Per Cluster SSH Key
cd ~/redhat/ocpv4/git/ocpv4-deployment-tam/common/playbooks ansible-playbook --connection=local --inventory 127.0.0.1, --limit 127.0.0.1 common-ssh-keygen.yml -e "cluster_id=dsulliva-spoke01"
Replace the sshKey field from output in install-config.yaml below
cd ~/redhat/ocpv4/git//ocpv4-deployment-tam/ vi dsulliva-spoke01/config/install-config.yaml
Install OpenShift Spoke Cluster
cd ~/redhat/ocpv4/git/ocpv4-deployment-tam/common/playbooks ansible-playbook --ask-vault-pass --connection=local --inventory 127.0.0.1, --limit 127.0.0.1 common-install-ocpv4.yml -e "becomemethod=sudo privileged_user=dsulliva privileged_group=dsulliva ocpv4_version=4.10.12 cluster_id=dsulliva-spoke01"
*Clean up time be careful this wipes out the cluster
ansible-playbook --connection=local --inventory 127.0.0.1, --limit 127.0.0.1 common-destroy-ocpv4.yml -e "becomemethod=sudo privileged_user=dsulliva privileged_group=dsulliva ocpv4_version=4.10.12 cluster_id=dsulliva-spoke01"