From 276e80e27236ddd2c54728367cb0a2a86ffb71c1 Mon Sep 17 00:00:00 2001 From: Frank Ketelaars Date: Wed, 30 Oct 2024 16:30:33 +0000 Subject: [PATCH 1/6] #822 Handle failure with ROSA login --- .../30-provision-infra/provision-aws/tasks/provision-rosa.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automation-roles/30-provision-infra/provision-aws/tasks/provision-rosa.yml b/automation-roles/30-provision-infra/provision-aws/tasks/provision-rosa.yml index c0ce9448d..8c418d4fb 100644 --- a/automation-roles/30-provision-infra/provision-aws/tasks/provision-rosa.yml +++ b/automation-roles/30-provision-infra/provision-aws/tasks/provision-rosa.yml @@ -108,7 +108,7 @@ secret_payload: "{{ _cluster_admin_password }}" secret_group: "{{ environment_name }}" - when: _describe_cluster_admin is search("There is no admin") + when: _describe_cluster_admin.stderr is search("rosa create admin") - include_tasks: aws-enable-openshift-fileserver.yml loop: "{{ _current_openshift_cluster.openshift_storage | default([]) }}" From 1f45298c76edafc27bd49b56db93714344c563ba Mon Sep 17 00:00:00 2001 From: Frank Ketelaars Date: Wed, 30 Oct 2024 16:31:29 +0000 Subject: [PATCH 2/6] #822 Ignore error when labeling storage nodes --- .../40-configure-infra/openshift-mcg/tasks/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/automation-roles/40-configure-infra/openshift-mcg/tasks/main.yml b/automation-roles/40-configure-infra/openshift-mcg/tasks/main.yml index 245ea13aa..aceec1ff7 100644 --- a/automation-roles/40-configure-infra/openshift-mcg/tasks/main.yml +++ b/automation-roles/40-configure-infra/openshift-mcg/tasks/main.yml @@ -16,9 +16,10 @@ oc get sc {{ _p_openshift_cluster.mcg.storage_class }} when: _p_openshift_cluster.mcg.storage_type == 'storage-class' - - name: Label all compute nodes as storage nodes to allow StorageCluster to be created + - name: Label all compute nodes as storage nodes to allow StorageCluster to be created, ignore failure shell: | oc label no -l node-role.kubernetes.io/worker cluster.ocs.openshift.io/openshift-storage= + failed_when: False - name: Install ODF operator include_role: From 873d0a379d568bd661b42961fa69b500bc3a190e Mon Sep 17 00:00:00 2001 From: Frank Ketelaars Date: Wed, 30 Oct 2024 21:51:24 +0000 Subject: [PATCH 3/6] #822 Renew AWS credentials after creating ROSA cluster --- .../tasks/aws-validate-variables.yml | 34 ++--------------- .../tasks/aws-validate-variables.yml | 37 ++----------------- .../destroy-aws/tasks/main.yml | 26 ++----------- .../provision-aws/tasks/provision-rosa.yml | 4 ++ .../aws/aws-get-credentials/tasks/main.yml | 32 ++++++++++++++++ 5 files changed, 46 insertions(+), 87 deletions(-) create mode 100644 automation-roles/99-generic/aws/aws-get-credentials/tasks/main.yml diff --git a/automation-roles/10-validation/validate-variables-destroy/tasks/aws-validate-variables.yml b/automation-roles/10-validation/validate-variables-destroy/tasks/aws-validate-variables.yml index abbc2656e..98da729f7 100644 --- a/automation-roles/10-validation/validate-variables-destroy/tasks/aws-validate-variables.yml +++ b/automation-roles/10-validation/validate-variables-destroy/tasks/aws-validate-variables.yml @@ -1,32 +1,4 @@ --- -- name: Get aws-access-key secret from in the vault - include_role: - name: vault-get-secret - vars: - secret_name: "aws-access-key" - secret_group: "{{ environment_name }}" - _p_secret_variable: _aws_access_key - -- name: Get aws-secret-access-key secret from the vault - include_role: - name: vault-get-secret - vars: - secret_name: "aws-secret-access-key" - secret_group: "{{ environment_name }}" - _p_secret_variable: _aws_secret_access_key - -- name: Get aws-session-token secret from the vault - include_role: - name: vault-get-secret - vars: - secret_name: "aws-session-token" - secret_group: "{{ environment_name }}" - _p_secret_variable: _aws_session_token - -- name: Retrieve rosa-login-token secret from the vault - include_role: - name: vault-get-secret - vars: - secret_name: "rosa-login-token" - secret_group: "{{ environment_name }}" - _p_secret_variable: _rosa_login_token \ No newline at end of file +- name: Get AWS credentials from the vault + include_role: + name: aws-get-credentials \ No newline at end of file diff --git a/automation-roles/10-validation/validate-variables/tasks/aws-validate-variables.yml b/automation-roles/10-validation/validate-variables/tasks/aws-validate-variables.yml index 6fa653fd9..cb5e1edb8 100644 --- a/automation-roles/10-validation/validate-variables/tasks/aws-validate-variables.yml +++ b/automation-roles/10-validation/validate-variables/tasks/aws-validate-variables.yml @@ -1,27 +1,7 @@ --- -- name: Get aws-access-key secret from in the vault - include_role: - name: vault-get-secret - vars: - secret_name: "aws-access-key" - secret_group: "{{ environment_name }}" - _p_secret_variable: _aws_access_key - -- name: Get aws-secret-access-key secret from the vault - include_role: - name: vault-get-secret - vars: - secret_name: "aws-secret-access-key" - secret_group: "{{ environment_name }}" - _p_secret_variable: _aws_secret_access_key - -- name: Get aws-session-token secret from the vault - include_role: - name: vault-get-secret - vars: - secret_name: "aws-session-token" - secret_group: "{{ environment_name }}" - _p_secret_variable: _aws_session_token +- name: Get AWS credentials from the vault + include_role: + name: aws-get-credentials - name: Retrieve pull secret from vault include_role: @@ -38,13 +18,4 @@ vars: secret_name: "ocp-ssh-pub-key" secret_group: "{{ environment_name }}" - _p_secret_variable: _ocp_ssh_pub_key - -- name: Retrieve rosa-login-token secret from the vault - include_role: - name: vault-get-secret - vars: - secret_name: "rosa-login-token" - secret_group: "{{ environment_name }}" - _p_secret_variable: _rosa_login_token - + _p_secret_variable: _ocp_ssh_pub_key \ No newline at end of file diff --git a/automation-roles/30-provision-infra/destroy-aws/tasks/main.yml b/automation-roles/30-provision-infra/destroy-aws/tasks/main.yml index 17725194e..1ecf45872 100644 --- a/automation-roles/30-provision-infra/destroy-aws/tasks/main.yml +++ b/automation-roles/30-provision-infra/destroy-aws/tasks/main.yml @@ -8,29 +8,9 @@ fail: msg="cloud_platform {{ cloud_platform }} is not implemented, current implemented cloud platforms are {{ implemented_cloud_platform_types }} " when: "cloud_platform not in implemented_cloud_platform_types" -- name: Get aws-access-key secret from in the vault - include_role: - name: vault-get-secret - vars: - secret_name: "aws-access-key" - secret_group: "{{ environment_name }}" - _p_secret_variable: _aws_access_key - -- name: Get aws-secret-access-key secret from the vault - include_role: - name: vault-get-secret - vars: - secret_name: "aws-secret-access-key" - secret_group: "{{ environment_name }}" - _p_secret_variable: _aws_secret_access_key - -- name: Get aws-session-token secret from the vault - include_role: - name: vault-get-secret - vars: - secret_name: "aws-session-token" - secret_group: "{{ environment_name }}" - _p_secret_variable: _aws_session_token +- name: Get AWS credentials from the vault + include_role: + name: aws-get-credentials - name: Destroy Openshift with AWS ROSA include_tasks: destroy-aws-rosa.yml diff --git a/automation-roles/30-provision-infra/provision-aws/tasks/provision-rosa.yml b/automation-roles/30-provision-infra/provision-aws/tasks/provision-rosa.yml index 8c418d4fb..5da2e2936 100644 --- a/automation-roles/30-provision-infra/provision-aws/tasks/provision-rosa.yml +++ b/automation-roles/30-provision-infra/provision-aws/tasks/provision-rosa.yml @@ -45,6 +45,10 @@ AWS_SESSION_TOKEN: "{{ _aws_session_token }}" when: _rosa_describe_cluster.rc != 0 +- name: Renew AWS credentials from the vault + include_role: + name: aws-get-credentials + - name: Get details for cluster {{ _current_openshift_cluster.name }} shell: | rosa describe cluster \ diff --git a/automation-roles/99-generic/aws/aws-get-credentials/tasks/main.yml b/automation-roles/99-generic/aws/aws-get-credentials/tasks/main.yml new file mode 100644 index 000000000..d449588aa --- /dev/null +++ b/automation-roles/99-generic/aws/aws-get-credentials/tasks/main.yml @@ -0,0 +1,32 @@ +--- +- name: Get aws-access-key secret from in the vault + include_role: + name: vault-get-secret + vars: + secret_name: "aws-access-key" + secret_group: "{{ environment_name }}" + _p_secret_variable: _aws_access_key + +- name: Get aws-secret-access-key secret from the vault + include_role: + name: vault-get-secret + vars: + secret_name: "aws-secret-access-key" + secret_group: "{{ environment_name }}" + _p_secret_variable: _aws_secret_access_key + +- name: Get aws-session-token secret from the vault + include_role: + name: vault-get-secret + vars: + secret_name: "aws-session-token" + secret_group: "{{ environment_name }}" + _p_secret_variable: _aws_session_token + +- name: Retrieve rosa-login-token secret from the vault + include_role: + name: vault-get-secret + vars: + secret_name: "rosa-login-token" + secret_group: "{{ environment_name }}" + _p_secret_variable: _rosa_login_token \ No newline at end of file From 8e8efbc3003eccdcd5c7dc8326ad8244cf13c05c Mon Sep 17 00:00:00 2001 From: Frank Ketelaars Date: Thu, 31 Oct 2024 05:47:00 +0000 Subject: [PATCH 4/6] #822 Provision ODF operator based on ROSA STS --- .../tasks/aws-ipi-configure-ocs.yml | 2 +- .../tasks/aws-rosa-configure-ocs.yml | 4 +++- .../tasks/azure-aro-configure-ocs.yml | 2 ++ .../tasks/azure-ipi-configure-ocs.yml | 3 +++ .../tasks/vsphere-configure-ocs.yml | 2 ++ .../odf-operator/tasks/main.yml | 23 +++++++++++++++---- .../odf-operator/templates/odf-operator.j2 | 2 +- .../openshift-mcg/tasks/main.yml | 2 +- 8 files changed, 31 insertions(+), 9 deletions(-) diff --git a/automation-roles/40-configure-infra/ocs-storage-class/tasks/aws-ipi-configure-ocs.yml b/automation-roles/40-configure-infra/ocs-storage-class/tasks/aws-ipi-configure-ocs.yml index a09d40600..ccc9c8d04 100644 --- a/automation-roles/40-configure-infra/ocs-storage-class/tasks/aws-ipi-configure-ocs.yml +++ b/automation-roles/40-configure-infra/ocs-storage-class/tasks/aws-ipi-configure-ocs.yml @@ -43,7 +43,7 @@ include_role: name: odf-operator vars: - _p_credentials_mode: "{{ current_openshift_cluster.infrastructure.credentials_mode | default('') }}" + _p_openshift_cluster: "{{ current_openshift_cluster }}" - name: Check if StorageCluster ocs-storagecluster already exists command: | diff --git a/automation-roles/40-configure-infra/ocs-storage-class/tasks/aws-rosa-configure-ocs.yml b/automation-roles/40-configure-infra/ocs-storage-class/tasks/aws-rosa-configure-ocs.yml index 465ceec24..e097267c9 100644 --- a/automation-roles/40-configure-infra/ocs-storage-class/tasks/aws-rosa-configure-ocs.yml +++ b/automation-roles/40-configure-infra/ocs-storage-class/tasks/aws-rosa-configure-ocs.yml @@ -69,7 +69,9 @@ - name: Install ODF operator include_role: name: odf-operator - + vars: + _p_openshift_cluster: "{{ current_openshift_cluster }}" + - name: Check if StorageCluster ocs-storagecluster already exists command: | oc get StorageCluster -n openshift-storage ocs-storagecluster diff --git a/automation-roles/40-configure-infra/ocs-storage-class/tasks/azure-aro-configure-ocs.yml b/automation-roles/40-configure-infra/ocs-storage-class/tasks/azure-aro-configure-ocs.yml index fea2cd91f..9f26336bf 100644 --- a/automation-roles/40-configure-infra/ocs-storage-class/tasks/azure-aro-configure-ocs.yml +++ b/automation-roles/40-configure-infra/ocs-storage-class/tasks/azure-aro-configure-ocs.yml @@ -77,6 +77,8 @@ - name: Install ODF operator include_role: name: odf-operator + vars: + _p_openshift_cluster: "{{ current_openshift_cluster }}" - name: Check if StorageCluster ocs-storagecluster already exists command: | diff --git a/automation-roles/40-configure-infra/ocs-storage-class/tasks/azure-ipi-configure-ocs.yml b/automation-roles/40-configure-infra/ocs-storage-class/tasks/azure-ipi-configure-ocs.yml index 9cf751f5c..3e09c7204 100644 --- a/automation-roles/40-configure-infra/ocs-storage-class/tasks/azure-ipi-configure-ocs.yml +++ b/automation-roles/40-configure-infra/ocs-storage-class/tasks/azure-ipi-configure-ocs.yml @@ -73,6 +73,9 @@ - name: Install ODF operator include_role: name: odf-operator + vars: + _p_openshift_cluster: "{{ current_openshift_cluster }}" + - name: Check if StorageCluster ocs-storagecluster already exists command: | diff --git a/automation-roles/40-configure-infra/ocs-storage-class/tasks/vsphere-configure-ocs.yml b/automation-roles/40-configure-infra/ocs-storage-class/tasks/vsphere-configure-ocs.yml index 116c0294a..58a22bb03 100644 --- a/automation-roles/40-configure-infra/ocs-storage-class/tasks/vsphere-configure-ocs.yml +++ b/automation-roles/40-configure-infra/ocs-storage-class/tasks/vsphere-configure-ocs.yml @@ -65,6 +65,8 @@ - name: Install ODF operator include_role: name: odf-operator + vars: + _p_openshift_cluster: "{{ current_openshift_cluster }}" - name: Check if StorageCluster ocs-storagecluster already exists command: | diff --git a/automation-roles/40-configure-infra/odf-operator/tasks/main.yml b/automation-roles/40-configure-infra/odf-operator/tasks/main.yml index 66c4466d4..c37e42661 100644 --- a/automation-roles/40-configure-infra/odf-operator/tasks/main.yml +++ b/automation-roles/40-configure-infra/odf-operator/tasks/main.yml @@ -1,8 +1,23 @@ --- -- include_tasks: aws-s3-sts-role.yml +- set_fact: + _aws_sts_mode: False + +- set_fact: + _aws_sts_mode: True + when: + - cloud_platform == 'aws' + - (_p_openshift_cluster.infrastructure.type | default('self-managed')) == 'self-managed' + - (_p_openshift_cluster.infrastructure.credentials_mode | default('')) == 'Manual' + +- set_fact: + _aws_sts_mode: True when: - cloud_platform == 'aws' - - (_p_credentials_mode | default('')) == 'Manual' + - (_p_openshift_cluster.infrastructure.type | default('self-managed')) == 'rosa' + - (_p_openshift_cluster.infrastructure.use_sts | default(False)) + +- include_tasks: aws-s3-sts-role.yml + when: _aws_sts_mode - name: Create openshift-storage OpenShift project shell: | @@ -54,6 +69,4 @@ oc patch subscriptions.operators.coreos.com -n openshift-storage odf-operator \ --type merge \ --patch '{"spec":{"installPlanApproval":"Manual"}}' - when: - - cloud_platform == 'aws' - - (_p_credentials_mode | default('')) == 'Manual' \ No newline at end of file + when: _aws_sts_mode \ No newline at end of file diff --git a/automation-roles/40-configure-infra/odf-operator/templates/odf-operator.j2 b/automation-roles/40-configure-infra/odf-operator/templates/odf-operator.j2 index b72b283c3..b63f89e1c 100644 --- a/automation-roles/40-configure-infra/odf-operator/templates/odf-operator.j2 +++ b/automation-roles/40-configure-infra/odf-operator/templates/odf-operator.j2 @@ -21,7 +21,7 @@ spec: name: odf-operator source: redhat-operators sourceNamespace: openshift-marketplace -{% if (_p_credentials_mode | default('')) == 'Manual' %} +{% if _aws_sts_mode %} config: env: - name: ROLEARN diff --git a/automation-roles/40-configure-infra/openshift-mcg/tasks/main.yml b/automation-roles/40-configure-infra/openshift-mcg/tasks/main.yml index aceec1ff7..f87a6a418 100644 --- a/automation-roles/40-configure-infra/openshift-mcg/tasks/main.yml +++ b/automation-roles/40-configure-infra/openshift-mcg/tasks/main.yml @@ -25,7 +25,7 @@ include_role: name: odf-operator vars: - _p_credentials_mode: "{{ current_openshift_cluster.infrastructure.credentials_mode | default('') }}" + _p_openshift_cluster: "{{ current_openshift_cluster }}" - name: Generate MCG StorageCluster ocs-storagecluster into {{ status_dir }}/openshift/openshift-{{ _p_openshift_cluster.name }}-mcg-storagecluster.yaml template: From 49b336ac6ab72b3285a26d478eec2ddbd74fb2b2 Mon Sep 17 00:00:00 2001 From: Frank Ketelaars Date: Thu, 31 Oct 2024 06:08:01 +0000 Subject: [PATCH 5/6] #822 Error in deletion of operator-roles --- .../30-provision-infra/destroy-aws/tasks/destroy-aws-rosa.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/automation-roles/30-provision-infra/destroy-aws/tasks/destroy-aws-rosa.yml b/automation-roles/30-provision-infra/destroy-aws/tasks/destroy-aws-rosa.yml index 86858d340..7ecce7577 100644 --- a/automation-roles/30-provision-infra/destroy-aws/tasks/destroy-aws-rosa.yml +++ b/automation-roles/30-provision-infra/destroy-aws/tasks/destroy-aws-rosa.yml @@ -40,7 +40,7 @@ - name: Delete operator roles for ROSA cluster {{ _current_openshift_cluster.name }} when STS was used shell: | - rosa delete operator roles -c {{ (_rosa_describe_cluster.stdout | from_json).id }} --mode auto --yes \ + rosa delete operator-roles -c {{ (_rosa_describe_cluster.stdout | from_json).id }} --mode auto --yes \ --region {{ _current_openshift_cluster.infrastructure.aws_region }} >> {{ status_dir }}/log/{{ _current_openshift_cluster.name }}-delete-cluster.log 2>&1 environment: AWS_ACCESS_KEY_ID: "{{ _aws_access_key }}" From b11f9b167b099f5ee57670f177e743f80301e7a0 Mon Sep 17 00:00:00 2001 From: Frank Ketelaars Date: Thu, 31 Oct 2024 16:54:35 +0000 Subject: [PATCH 6/6] #802 Cast OpenShift version to string --- .../tasks/aws-enable-openshift-fileserver.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/automation-roles/30-provision-infra/provision-aws/tasks/aws-enable-openshift-fileserver.yml b/automation-roles/30-provision-infra/provision-aws/tasks/aws-enable-openshift-fileserver.yml index f97e97dd8..b11f67143 100644 --- a/automation-roles/30-provision-infra/provision-aws/tasks/aws-enable-openshift-fileserver.yml +++ b/automation-roles/30-provision-infra/provision-aws/tasks/aws-enable-openshift-fileserver.yml @@ -18,12 +18,12 @@ - name: Set name of compute node security group for OpenShift < 4.16 set_fact: _aws_compute_sg: "{{ _current_openshift_cluster.name }}*-worker-sg" - when: _current_openshift_cluster.ocp_version < '4.16' + when: (_current_openshift_cluster.ocp_version | string) < '4.16' - name: Set name of compute node security group for OpenShift >= 4.16 set_fact: _aws_compute_sg: "{{ _current_openshift_cluster.name }}*-node" - when: _current_openshift_cluster.ocp_version >= '4.16' + when: (_current_openshift_cluster.ocp_version | string) >= '4.16' - name: Get security group for OpenShift cluster compute nodes using filter {{ _aws_compute_sg }} shell: | @@ -40,9 +40,9 @@ - debug: var: _aws_sg -- name: Fail if security group was not found +- name: Fail if security group {{ _aws_compute_sg }} was not found fail: - msg: "Security group with name {{ _current_openshift_cluster.name }}*-worker-sg not found" + msg: "Security group with name {{ _aws_compute_sg }} not found" when: (_aws_sg.stdout | from_json) == [] - set_fact: