separate repository machine [#1640]

CHANGELOG-0.8.md

@@ -14,6 +14,7 @@
 - [#1618](https://github.com/epiphany-platform/epiphany/issues/1618) - Add kubectl and Helm to epicli and devcontainer images
 - [#1225](https://github.com/epiphany-platform/epiphany/issues/1225) - Add OS_PATCHING.md with information about patching RHEL OS
 - [#1656](https://github.com/epiphany-platform/epiphany/issues/1656) - Run Helm tasks from Epiphany container
+- [#1640](https://github.com/epiphany-platform/epiphany/issues/1640) - Added separate machine for repository and changed helm to use localhost address
 
 ### Updated
 
@@ -33,3 +34,8 @@
 - [#1659](https://github.com/epiphany-platform/epiphany/issues/1659) - epicli upgrade fails on Ubuntu on downgrading kubernetes-cni package
 - [#1681](https://github.com/epiphany-platform/epiphany/issues/1681) - Node exporter does not work after the upgrade
 - [#1705](https://github.com/epiphany-platform/epiphany/issues/1705) - [RHEL/CentOS] epicli fails on downloading requirements - Docker CE repo not available
+
+### Breaking changes
+
+- Repository machine was introduced (ref #1640)
+- Change cluster configuration manifest in order to be compatible with changes in #1640 [example] (https://github.com/epiphany-platform/epiphany/blob/develop/core/src/epicli/data/common/defaults/epiphany-cluster.yml)

CHANGELOG.md

@@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 Reference for actual cluster component versions can be found [here](docs/home/COMPONENTS.md)
 
+- [CHANGELOG-0.8.x](./CHANGELOG-0.8.md)
 - [CHANGELOG-0.7.x](./CHANGELOG-0.7.md)
 - [CHANGELOG-0.6.x](./CHANGELOG-0.6.md)
 - [CHANGELOG-0.5.x](./CHANGELOG-0.5.md)

core/src/epicli/data/any/defaults/configuration/minimal-cluster-config.yml

@@ -8,6 +8,10 @@ specification:
     name: operations # YOUR-ADMIN-USERNAME
     key_path: /user/.ssh/epiphany-operations/id_rsa # YOUR-SSH-KEY-PATH
   components:
+    repository:
+      count: 1
+      machines:
+        - default-repository
     kubernetes_master:
       count: 1
       machines:
@@ -45,6 +49,13 @@ specification:
 ---
 kind: infrastructure/machine
 provider: any
+name: default-repository
+specification:
+  hostname: repository # YOUR-MACHINE-HOSTNAME
+  ip: 192.168.100.112 # YOUR-MACHINE-IP
+---
+kind: infrastructure/machine
+provider: any
 name: default-k8s-master1
 specification:
   hostname: master1 # YOUR-MACHINE-HOSTNAME

core/src/epicli/data/aws/defaults/configuration/minimal-cluster-config.yml

@@ -14,6 +14,8 @@ specification:
       key: XXXX-XXXX-XXXX
       secret: XXXXXXXXXXXXXXXX
   components:
+    repository:
+      count: 1
     kubernetes_master:
       count: 1
     kubernetes_node:

core/src/epicli/data/aws/defaults/infrastructure/virtual-machine.yml

@@ -845,3 +845,48 @@ specification:
        destination_port_range: "0"
        source_address_prefix: "0.0.0.0/0"
        destination_address_prefix: "0.0.0.0/0"       
+---
+kind: infrastructure/virtual-machine
+title: "Virtual Machine Infra"
+provider: aws
+name: repository-machine
+specification:
+  size: t2.medium
+  security:
+    rules:
+     - name: ssh
+       description: Allow ssh traffic
+       direction: Inbound
+       protocol: Tcp
+       destination_port_range: "22"
+       source_address_prefix: "0.0.0.0/0"
+       destination_address_prefix: "0.0.0.0/0"
+     - name: repository
+       description: Allow repository traffic
+       direction: Inbound
+       protocol: Tcp
+       destination_port_range: "80"
+       source_address_prefix: "10.1.0.0/20"
+       destination_address_prefix: "0.0.0.0/0"
+     - name: node_exporter
+       description: Allow node_exporter traffic
+       direction: Inbound
+       protocol: Tcp
+       destination_port_range: "9100"
+       source_address_prefix: "10.1.0.0/20"
+       destination_address_prefix: "0.0.0.0/0"
+     - name: image_registry
+       description: Allow image registry traffic
+       direction: Inbound
+       protocol: Tcp
+       destination_port_range: "5000"
+       source_address_prefix: "10.1.0.0/20"
+       destination_address_prefix: "0.0.0.0/0"
+     - name: out
+       description: Allow out
+       direction: Egress
+       protocol: "all"
+       destination_port_range: "0"
+       source_address_prefix: "0.0.0.0/0"
+       destination_address_prefix: "0.0.0.0/0"
+

core/src/epicli/data/azure/defaults/configuration/minimal-cluster-config.yml

@@ -11,6 +11,8 @@ specification:
   cloud:
     use_public_ips: False # When not using public IPs you have to provide connectivity via private IPs (VPN)
   components:
+    repository:
+      count: 1
     kubernetes_master:
       count: 1
     kubernetes_node:

core/src/epicli/data/azure/defaults/infrastructure/virtual-machine.yml

@@ -782,3 +782,62 @@ specification:
   #      destination_port_range: "0"
   #      source_address_prefix: "10.1.4.0/24"
   #      destination_address_prefix: "0.0.0.0/0"
+---
+kind: infrastructure/virtual-machine
+title: "Virtual Machine Infra"
+provider: azure
+name: repository-machine
+specification:
+  size: Standard_DS1_v2
+  security:
+    rules:
+      - name: ssh
+        description: Allow SSH
+        priority: 100
+        direction: Inbound
+        access: Allow
+        protocol: Tcp
+        source_port_range: "*"
+        destination_port_range: "22"
+        source_address_prefix: "0.0.0.0/0"
+        destination_address_prefix: "0.0.0.0/0"
+      - name: node_exporter
+        description: Allow node_exporter traffic
+        priority: 200
+        direction: Inbound
+        access: Allow
+        protocol: Tcp
+        source_port_range: "*"
+        destination_port_range: "9100"
+        source_address_prefix: "10.1.0.0/20"
+        destination_address_prefix: "0.0.0.0/0"
+      - name: repository
+        description: Allow repository traffic
+        priority: 205
+        direction: Inbound
+        access: Allow
+        protocol: Tcp
+        source_port_range: "*"
+        destination_port_range: "80"
+        source_address_prefix: "10.1.0.0/20"
+        destination_address_prefix: "0.0.0.0/0"
+      - name: image_registry
+        description: Allow image registry traffic
+        priority: 206
+        direction: Inbound
+        access: Allow
+        protocol: Tcp
+        source_port_range: "*"
+        destination_port_range: "5000"
+        source_address_prefix: "10.1.0.0/20"
+        destination_address_prefix: "0.0.0.0/0"
+      - name: out
+        description: Allow out
+        priority: 101
+        direction: Outbound
+        access: Allow
+        protocol: "*"
+        source_port_range: "*"
+        destination_port_range: "0"
+        source_address_prefix: "0.0.0.0/0"
+        destination_address_prefix: "0.0.0.0/0"

core/src/epicli/data/common/ansible/playbooks/helm.yml

@@ -1,7 +1,18 @@
 ---
-- hosts: helm
-  become: true
-  become_method: sudo
-  become_flags: --login
+- hosts: 127.0.0.1
+  gather_facts: false
+  connection: local
+  become: false
   roles:
-    - helm
+    - role: helm
+      when:
+        - groups.helm is defined
+        - groups.helm | length > 0
+        - groups.repository is defined
+        - groups.repository | length > 0
+  environment:
+    # The "inventory_dir" fact cannot be used here.
+    # Documentation (https://docs.ansible.com/ansible/latest/inventory/implicit_localhost.html) states:
+    # - The inventory_file and inventory_dir magic variables are not available for the implicit localhost as they are dependent on each inventory host.
+    # TODO: https://github.com/epiphany-platform/epiphany/issues/1650
+    KUBECONFIG: "{{ vault_location }}/../kubeconfig"

core/src/epicli/data/common/ansible/playbooks/roles/helm/tasks/install-chart.yml

@@ -1,4 +1,6 @@
 ---
+# This file is meant to be used by other roles
+
 - name: Prepare configuration and upgrade/install Helm chart
   vars:
     # Handling "undefined", "null", "empty" and "boolean" values all at once.
@@ -9,10 +11,14 @@
 
   always:
     - name: Clean up temporary Helm chart values file
+      delegate_to: localhost
       file:
         state: absent
         path: /tmp/{{ helm_chart_name }}_values.yaml
-
+
+  delegate_to: localhost
+  environment:
+    KUBECONFIG: "{{ vault_location }}/../kubeconfig"
   block:
     # IF `disable_helm_chart`
     - when: disable_helm_chart_bool

core/src/epicli/data/common/ansible/playbooks/roles/helm/tasks/main.yml

@@ -1,48 +1,42 @@
 ---
-- import_tasks: gather-facts.yml
+
+- name: Check system index file existence
+  uri:
+    url: http://localhost/epirepo/helm-charts/system/index.yaml
+    method: HEAD
+  register: uri_index_test
+      # fail with error if status is unexpected
+  failed_when: uri_index_test.status not in [200, 404]
 
 - name: Deploy the "system" Helm charts
-  when: inventory_hostname == target_repository_hostnames[0]  # execute on the main repository host only
   block:
     - name: Check if Helm chart repo already exists
-      shell: |
-        helm repo list | grep {{ helm_chart_repo_name }}
+      shell: helm repo list | grep -w "{{ helm_chart_repo_name }}"
       register: helm_repo_list
       failed_when: (helm_repo_list.rc != 0 and not 'no repositories' in helm_repo_list.stderr)
                    or helm_repo_list.rc > 1
 
-    - name: "Check if files exist in {{ specification.apache_epirepo_path }}/helm-charts/system"
-      find:
-        paths: "{{ specification.apache_epirepo_path }}/helm-charts/system"
-      register: helm_charts_files_number
-
-    - name: Add Helm chart repo and install charts
-      when: helm_charts_files_number.matched > 1
-      block:
-        - name: Get Helm charts list from repo before update
-          shell: |
-            helm search repo {{ helm_chart_repo_name }} --output json | jq -r '.[].name'
-          register: helm_charts_list_before_update
+    - name: Get Helm charts list from repo before update
+      shell: helm search repo {{ helm_chart_repo_name }} --output json | jq -r '.[].name'
+      register: helm_charts_list_before_update
+      failed_when: (helm_charts_list_before_update.rc != 0 and not 'no repositories' in helm_charts_list_before_update.stderr)
+                   or helm_charts_list_before_update.rc > 1
 
-        - name: "Add {{ helm_chart_repo_name }} Helm repository from url {{ repository_url }}"
-          shell: |
-            helm repo add {{ helm_chart_repo_name }} {{ repository_url }}/helm-charts/system
-          when:
-            - helm_chart_repo_name not in helm_repo_list.stdout
+    - name: "Add {{ helm_chart_repo_name }} Helm repository from url http://localhost/epirepo"
+      shell: helm repo add {{ helm_chart_repo_name }} http://localhost/epirepo/helm-charts/system
+      when: helm_chart_repo_name not in helm_repo_list.stdout
 
-        - name: Update Helm repo
-          shell: |
-            helm repo update
+    - name: Update Helm repo
+      shell: helm repo update
 
-        - name: Get Helm charts list from repo after update
-          shell: |
-            helm search repo {{ helm_chart_repo_name }} --output json | jq -r '.[].name'
-          register: helm_charts_list_after_update
+    - name: Get Helm charts list from repo after update
+      shell: helm search repo {{ helm_chart_repo_name }} --output json | jq -r '.[].name'
+      register: helm_charts_list_after_update
 
-        - name: Delete Helm charts not present in repository
-          shell: |
-            helm delete {{ chart_subname }} --purge
-          vars:
-            chart_subname: "{{ item.split('/')[1] }}"
-          loop: "{{ helm_charts_list_before_update.stdout_lines }}"
-          when: item not in helm_charts_list_after_update.stdout_lines
+    - name: Delete Helm charts not present in repository
+      shell: helm delete {{ chart_subname }} --purge
+      vars:
+        chart_subname: "{{ item.split('/')[1] }}"
+      loop: "{{ helm_charts_list_before_update.stdout_lines }}"
+      when: item not in helm_charts_list_after_update.stdout_lines
+  when: uri_index_test.status == 200 # whole block of code is supposed to be executed only if system charts exist

core/src/epicli/data/common/ansible/playbooks/roles/repository/tasks/create-helm-repo.yml

@@ -21,7 +21,7 @@
       loop: "{{ system_charts_dir_list.files }}"
 
     - name: Generate index.yaml file
-      shell: helm repo index {{ specification.apache_epirepo_path }}/helm-charts/system/ --url {{ repository_url }}/helm-charts/system
+      shell: helm repo index {{ specification.apache_epirepo_path }}/helm-charts/system/ --url http://localhost/epirepo/helm-charts/system
       args:
         executable: /bin/bash
 

core/src/epicli/data/common/defaults/configuration/feature-mapping.yml

@@ -122,9 +122,7 @@ specification:
       - firewall
       - vault
     kubernetes_master:
-      - image-registry
       - kubernetes-master
-      - repository
       - helm
       - applications
       - node-exporter
@@ -146,3 +144,9 @@ specification:
       - node-exporter
       - filebeat
       - firewall
+    repository:
+      - repository
+      - image-registry
+      - firewall
+      - filebeat
+      - node-exporter

core/src/epicli/data/common/defaults/epiphany-cluster.yml

@@ -94,6 +94,13 @@ specification:
       subnets:
         - availability_zone: eu-west-2a
           address_pool: 10.1.10.0/24
+    repository:
+      count: 1
+      machine: repository-machine
+      configuration: default
+      subnets:
+        - availability_zone: eu-west-2a
+          address_pool: 10.1.11.0/24
     single_machine:
       count: 0
       machine: single-machine