https://github.com/nmasse-itix/openshift-implementation-at-itix
OpenShift Origin Implementation at ITIX (mostly Ansible Playbooks)
https://github.com/nmasse-itix/openshift-implementation-at-itix
Last synced: about 2 months ago
JSON representation
OpenShift Origin Implementation at ITIX (mostly Ansible Playbooks)
- Host: GitHub
- URL: https://github.com/nmasse-itix/openshift-implementation-at-itix
- Owner: nmasse-itix
- License: mit
- Created: 2017-05-02T19:18:44.000Z (about 8 years ago)
- Default Branch: master
- Last Pushed: 2019-09-09T10:40:55.000Z (over 5 years ago)
- Last Synced: 2025-02-12T11:16:27.407Z (4 months ago)
- Size: 53.7 KB
- Stars: 2
- Watchers: 2
- Forks: 1
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# OpenShift-Lab
This project is my Ansible Playbook to install OpenShift on my Hetzner server.
## Operating System install
Go to [access.redhat.com](https://access.redhat.com/downloads/content/69/ver=/rhel---7/7.6/x86_64/product-software) and download the boot ISO image of the latest RHEL 7.
Upload this ISO image to any large file transfer such as [send.firefox.com](https://send.firefox.com) or [dl.free.fr](http://dl.free.fr/).
Go to your [Hetzner console](https://robot.your-server.de/server), select your server and book a KVM (**Support** > **Remote Console (KVM)** > **I would like to make an appointment**).
Choose a date, time and duration. For the duration, two hours should be enough.
In the message box, type something like:
```raw
Dear Hetzner Support team,
I would like to install RHEL 7 on my server. Could you please burn the following ISO image on a CD or prepare a USB Key accordingly for me ?
Many thanks for your help.
Best regards.
```
Click **Send Request**
At the specified timeframe, you should receive a mail containing the login details to connect to your KVM.
Open the KVM console. This is a Java applet, so make sure there is no security restriction on their execution.
Reboot your server using the **Ctrl+Ald+Delete** button.
When the bios shows up, press **** to enter the boot menu and boot from the CD or USB Key, according to the Hetzner instructions.
[](https://www.youtube.com/watch?v=q-brW2_23Lo)
In this video at 3:00, I configure in the **Installation Source** a repository that is hosted on another server.
It's just a web server that serves the content of the ISO image:
```sh
yum install lighttpd
systemctl start lighttpd
mount rhel-server-7.6-x86_64-dvd.iso /var/www/lighttpd/ -o loop,ro
```
You can verify that your setup is correct with:
```sh
curl http://localhost/.treeinfo
```
## Getting a public certificates with Let's encrypt
On the Ansible control node, install [lego](https://github.com/go-acme/lego):
```sh
brew install lego
```
Get a certificate for the wildcard domain as well as the master hostname:
```sh
GANDIV5_API_KEY=[REDACTED] lego -d openshift.itix.fr -d app.itix.fr -d '*.app.itix.fr' -a -m [email protected] --path $HOME/.lego --dns gandiv5 run
```
See [this guide](https://github.com/nmasse-itix/OpenShift-Examples/tree/master/Public-Certificates-with-Letsencrypt) for more details.
## Preparation
Register the server on RHN:
```sh
sudo subscription-manager register --name=openshift.itix.fr
sudo subscription-manager refresh
sudo subscription-manager list --available --matches '*Employee SKU*'
sudo subscription-manager attach --pool=8a85f9833e1404a9013e3cddf95a0599
```
Edit `/etc/sysconfig/network-scripts/ifcfg-eno1` and add:
```sh
NM_CONTROLLED="yes"
PEERDNS="yes"
DOMAIN="itix.fr"
```
## OpenShift Install
Create a file named `group_vars/OSEv3`, containing your secrets:
```sh
cat < group_vars/OSEv3
---
# Generated on https://access.redhat.com/terms-based-registry/
oreg_auth_password: your.password.here
oreg_auth_user: '123|user-name'
openshift_additional_registry_credentials:
- host: registry.connect.redhat.com
user: rhn-username
password: rhn-password
test_image: sonatype/nexus-repository-manager:latest
# see: https://github.com/nmasse-itix/OpenShift-Examples/tree/master/Login-to-OpenShift-with-your-Google-Account
openshift_master_identity_providers:
- name: RedHat
login: true
challenge: false
kind: GoogleIdentityProvider
clientID: your.client_id.apps.googleusercontent.com
clientSecret: your.client_secret.here
hostedDomain: redhat.com
EOF
```
Create a file named `group_vars/all/itix.yaml`, containing your global variables:
```sh
mkdir -p group_vars/all/
cat < group_vars/all/itix.yaml
---
# The regular user account you created on your server
ansible_ssh_user: nicolas
EOF
```
Run the OpenShift install:
```sh
ansible-playbook -i prod.hosts playbooks/preparation.yml
ansible-playbook -i prod.hosts openshift-ansible/playbooks/deploy_cluster.yml
ansible-playbook -i prod.hosts playbooks/post-install.yml
```
## Deploy the Software Factory
### Red Hat SSO
```sh
oc new-project sso --display-name="Single Sign-On"
for resource in sso73-image-stream.json \
sso73-x509-https.json \
sso73-x509-postgresql-persistent.json
do
oc replace -n openshift --force -f \
https://raw.githubusercontent.com/jboss-container-images/redhat-sso-7-openshift-image/sso73-dev/templates/${resource}
done
oc -n openshift import-image redhat-sso73-openshift:1.0
oc policy add-role-to-user view system:serviceaccount:$(oc project -q):default
oc new-app --template=sso73-x509-postgresql-persistent --name=sso -p SSO_HOSTNAME=sso.app.itix.fr -p DB_USERNAME=sso -p SSO_ADMIN_USERNAME=admin -p DB_DATABASE=sso
oc delete route sso
oc create -f - < casc.yaml
jenkins:
systemMessage: "Jenkins configured automatically by Jenkins Configuration as Code plugin\n\n"
unclassified:
globalPluginConfiguration:
# OpenShift Sync Plugin: list of all namespaces to watch for, separated by a space
namespace: factory api-lifecycle
microcksGlobalConfiguration:
microcksInstallations:
- microcksDisplayName: Microcks
microcksApiURL: https://microcks.app.itix.fr/api
microcksCredentialsId: microcks-serviceaccount
microcksKeycloakURL: https://sso.app.itix.fr/auth/realms/microcks/
disableSSLValidation: true
credentials:
system:
domainCredentials:
- credentials:
- usernamePassword:
scope: SYSTEM
id: microcks-serviceaccount
description: Microcks service account
username: microcks-serviceaccount
password: '[REDACTED]'
EOF
oc create configmap jenkins-casc --from-file=casc.yaml
oc set volume dc/jenkins --add -m /casc/ --name=casc -t configmap --configmap-name=jenkins-casc
oc set env dc/jenkins CASC_JENKINS_CONFIG="/casc/"
oc delete route jenkins
oc create -f - < realm-to-be-imported.json
```
- Create a new realm named "apicurio" by importing the file `realm-to-be-imported.json`
- Go to "Identity Provider" and add an "openshift-v3" IdP
- Create the corresponding OpenShift OAuthClient
```sh
oc create -f - < "Themes" and set the themes to "rh-sso"
- Configure [Account Linking](https://apicurio-studio.readme.io/docs/setting-up-keycloak-for-use-with-apicurio#section-7-configure-keycloak-for-account-linking)
### Nexus
```sh
oc project factory
oc create secret docker-registry partner-registry --docker-username=your.rhn.login --docker-password=your.rhn.password [email protected] --docker-server=registry.connect.redhat.com
oc secrets link default partner-registry --for=pull
oc import-image nexus-repository-manager:latest --confirm --scheduled --from=registry.connect.redhat.com/sonatype/nexus-repository-manager:latest
oc new-app nexus-repository-manager --name=nexus
oc patch dc/nexus -p '{"spec":{"strategy":{"type":"Recreate"}}}'
oc expose svc/nexus --hostname=nexus.app.itix.fr
oc patch route/nexus -p '{"spec":{"tls":{"insecureEdgeTerminationPolicy":"Redirect","termination":"edge"}}}'
oc set probe dc/nexus --liveness --failure-threshold 3 --initial-delay-seconds 30 --open-tcp=8081
oc set probe dc/nexus --readiness --failure-threshold 3 --initial-delay-seconds 30 --get-url=http://:8081/service/rest/repository/browse/maven-public/
oc set volumes dc/nexus --add --name 'nexus-volume-1' --type 'pvc' --mount-path '/nexus-data/' --claim-name 'nexus' --claim-size '1Gi' --overwrite
curl -o /tmp/nexus-functions -s https://raw.githubusercontent.com/OpenShiftDemos/nexus/master/scripts/nexus-functions
source /tmp/nexus-functions
add_nexus3_redhat_repos admin admin123 https://nexus.app.itix.fr
```
### Ansible Tower
```sh
oc new-project tower --display-name="Ansible Tower"
oc create -f - < inventory
localhost ansible_connection=local ansible_python_interpreter="/usr/bin/env python"
[all:vars]
admin_user=admin
admin_password="$(head -c16 /dev/urandom |openssl dgst -sha1)"
pg_username=tower
pg_password="$(head -c16 /dev/urandom |openssl dgst -sha1)"
pg_database='tower'
pg_port=5432
secret_key="$(head -c16 /dev/urandom |openssl dgst -sha1)"
rabbitmq_password="$(head -c16 /dev/urandom |openssl dgst -sha1)"
rabbitmq_erlang_cookie="$(head -c16 /dev/urandom |openssl dgst -sha1)"
openshift_skip_tls_verify=true
openshift_password=dummy # Not used but required by the installer
EOF
oc apply -f - <