[kuberef.git] / sw_config / bmra / patched_cmk_build.yml

# SPDX-FileCopyrightText: 2020 Intel Corporation.
#
# SPDX-License-Identifier: Apache-2.0

---
- name: install epel-release on Red Hat based OS
  package: name=epel-release
  when: ansible_os_family == 'RedHat'

# note: on Ubuntu, pip is installed via install_dependencies
- name: install pip
  package:
    name: python-pip
  when:
    - ansible_distribution in ["RedHat", "CentOS"]
    - ansible_distribution_version < '8'

- name: install pip
  package:
    name: python3-pip
  when:
    - ansible_distribution in ["RedHat", "CentOS"]
    - ansible_distribution_version >= '8'

- name: install dependencies
  include_role:
    name: install_dependencies

- name: install Python dependencies
  pip:
    name:
      - setuptools
      - docker

- name: clone CMK repository
  git:
    repo: "{{ cmk_git_url }}"
    dest: "{{ cmk_dir }}"
    version: "{{ cmk_version }}"
    force: yes

- name: patch CMK dockerfile (1/3)
  lineinfile:
    path: "{{ cmk_dir }}/Dockerfile"
    regexp: '^FROM clearlinux'
    line: 'FROM centos/python-36-centos7:latest'

- name: patch CMK dockerfile (2/3)
  lineinfile:
    path: "{{ cmk_dir }}/Dockerfile"
    insertafter: '^FROM centos'
    line: 'USER root'
    state: present

- name: patch CMK dockerfile (3/3)
  lineinfile:
    path: "{{ cmk_dir }}/Dockerfile"
    state: absent
    regexp: '^RUN swupd'

- name: build CMK image
  make:
    chdir: "{{ cmk_dir }}"

# NOTE(przemeklal): this fixes problem in CMK with ImagePullPolicy hardcoded to Never and the pod is scheduled on controller node
- name: tag CMK image
  command: docker tag cmk:{{ cmk_img_version }} {{ registry_local_address }}/cmk:{{ cmk_img_version }}
  changed_when: true

- name: push CMK image to local registry
  command: docker push {{ registry_local_address }}/cmk:{{ cmk_img_version }}
  when:
    - inventory_hostname == groups['kube-node'][0]
  changed_when: true

- name: clean up any preexisting certs/key/CSR files
  file: path=/etc/ssl/cmk state=absent
  when: inventory_hostname == groups['kube-master'][0]
  failed_when: false
  become: yes

- name: delete any preexisting certs/key/CSR from Kubernetes
  command: kubectl delete csr cmk-webhook-{{ item }}.{{ cmk_namespace }}
  when: inventory_hostname == groups['kube-master'][0]
  failed_when: false
  with_items:
    - "client"
    - "server"

- name: create directory for CMK cert and key generation
  become: yes
  file:
    path: /etc/ssl/cmk
    state: directory
    mode: 0700
    owner: root
    group: root

- name: populate CMK CSR template
  template:
    src: "webhook_{{ item }}_csr.json.j2"
    dest: "/etc/ssl/cmk/cmk-webhook-{{ item }}-csr.json"
    force: yes
    mode: preserve
  become: yes
  with_items:
    - "client"
    - "server"
  when:
    - inventory_hostname == groups['kube-master'][0]

- name: get GOPATH
  command: go env GOPATH
  register: gopath
  when:
    - inventory_hostname == groups['kube-master'][0]

- name: generate key and CSR
  shell: "set -o pipefail \
         && {{ gopath.stdout }}/bin/cfssl genkey cmk-webhook-{{ item }}-csr.json | {{ gopath.stdout }}/bin/cfssljson -bare cmk-webhook-{{ item }}"
  args:
    chdir: "/etc/ssl/cmk/"
    executable: /bin/bash
  with_items:
    - "client"
    - "server"
  when:
    - inventory_hostname == groups['kube-master'][0]
  become: yes

- name: read generated server key
  command: cat cmk-webhook-server-key.pem
  args:
    chdir: "/etc/ssl/cmk/"
  register: server_key
  when:
    - inventory_hostname == groups['kube-master'][0]

- name: read generated client key
  command: cat cmk-webhook-client-key.pem
  args:
    chdir: "/etc/ssl/cmk/"
  register: client_key
  when:
    - inventory_hostname == groups['kube-master'][0]

- name: load generated server key
  set_fact:
    cmk_webhook_server_key: "{{ server_key.stdout | b64encode }}"
  when:
    - inventory_hostname == groups['kube-master'][0]

- name: load generated client key
  set_fact:
    cmk_webhook_client_key: "{{ client_key.stdout | b64encode }}"
  when:
    - inventory_hostname == groups['kube-master'][0]

- name: read generated client csr
  command: cat cmk-webhook-client.csr
  args:
    chdir: "/etc/ssl/cmk/"
  register: client_csr
  when:
    - inventory_hostname == groups['kube-master'][0]

- name: load generated client csr
  set_fact:
    cmk_webhook_client_csr: "{{ client_csr.stdout | b64encode }}"
  when:
    - inventory_hostname == groups['kube-master'][0]

- name: read generated server csr
  command: cat cmk-webhook-server.csr
  args:
    chdir: "/etc/ssl/cmk/"
  register: server_csr
  when:
    - inventory_hostname == groups['kube-master'][0]

- name: load generated server csr
  set_fact:
    cmk_webhook_server_csr: "{{ server_csr.stdout | b64encode }}"
  when:
    - inventory_hostname == groups['kube-master'][0]

- name: populate CMK Kubernetes CA CSR template
  template:
    src: "kube_{{ item }}_csr.yml.j2"
    dest: "/etc/ssl/cmk/cmk-webhook-kube-{{ item }}-csr.yml"
    force: yes
    mode: preserve
  with_items:
    - "client"
    - "server"
  when:
    - inventory_hostname == groups['kube-master'][0]

- name: send CSR to the Kubernetes API Server
  command: kubectl apply -f /etc/ssl/cmk/cmk-webhook-kube-{{ item }}-csr.yml
  with_items:
    - "client"
    - "server"
  when:
    - inventory_hostname == groups['kube-master'][0]

- name: approve request
  command: kubectl certificate approve cmk-webhook-{{ item }}.{{ cmk_namespace }}
  with_items:
    - "client"
    - "server"
  when:
    - inventory_hostname == groups['kube-master'][0]

- name: get approved server  certificate
  shell: kubectl get csr cmk-webhook-server.{{ cmk_namespace }} -o jsonpath='{.status.certificate}'
  args:
    chdir: "/etc/ssl/cmk/"
  register: server_cert
  when:
    - inventory_hostname == groups['kube-master'][0]
  retries: 30
  delay: 1
  until: server_cert.rc == 0

- name: get approved client certificate
  shell: kubectl get csr cmk-webhook-client.{{ cmk_namespace }} -o jsonpath='{.status.certificate}'
  args:
    chdir: "/etc/ssl/cmk/"
  register: client_cert
  when:
    - inventory_hostname == groups['kube-master'][0]
  retries: 30
  delay: 1
  until: client_cert.rc == 0

- name: load generated server cert
  set_fact:
    cmk_webhook_server_cert: "{{ server_cert.stdout }}"
  when:
    - inventory_hostname == groups['kube-master'][0]

- name: load generated client cert
  set_fact:
    cmk_webhook_client_cert: "{{ client_cert.stdout }}"
  when:
    - inventory_hostname == groups['kube-master'][0]

- name: populate cmk-webhook.conf file
  template:
    src: "cmk-webhook.conf.j2"
    dest: "/etc/kubernetes/admission-control/cmk-webhook.conf"
    force: yes
    mode: preserve
  when:
    - inventory_hostname == groups['kube-master'][0]

- name: add MutatingAdmissionWebhook to AdmissionConfiguration
  blockinfile:
    path: /etc/kubernetes/admission-control/config.yaml
    insertafter: "plugins:"
    block: |
      - name: MutatingAdmissionWebhook
        configuration:
          apiVersion: apiserver.config.k8s.io/v1
          kind: WebhookAdmissionConfiguration
          kubeConfigFile: /etc/kubernetes/admission-control/cmk-webhook.conf
  when:
    - inventory_hostname == groups['kube-master'][0]


- name: restart kube-apiserver after updating admission control configuration
  when: inventory_hostname == groups['kube-master'][0]
  block:
    - name: remove kube-apiserver Docker container
      shell: docker ps -af name=k8s_kube-apiserver* -q | xargs --no-run-if-empty docker rm -f
      args:
        executable: /bin/bash
      register: remove_apiserver_container
      retries: 10
      until: remove_apiserver_container.rc == 0
      delay: 1
    - name: wait for kube-apiserver to be up
      uri:
        url: "https://127.0.0.1:6443/healthz"
        client_cert: "/etc/kubernetes/ssl/ca.crt"
        client_key: "/etc/kubernetes/ssl/ca.key"
        validate_certs: no
      register: result
      until: result.status == 200
      retries: 120
      delay: 1

- name: create Helm charts directory if needed
  file:
    path: /usr/src/charts
    state: directory
    mode: 0755
  when:
    - inventory_hostname == groups['kube-master'][0]

- name: copy CMK Helm chart to the controller node
  copy:
    src: "{{ role_path }}/charts/cpu-manager-for-kubernetes"
    dest: "/usr/src/charts/"
    mode: 0755
  when:
    - inventory_hostname == groups['kube-master'][0]

# adds all kube-nodes to the list of CMK nodes
- name: build list of CMK hosts
  set_fact:
    cmk_hosts_list: "{{ groups['kube-node'] | join(',') }}"
  when:
    - not cmk_use_all_hosts
    - (cmk_hosts_list is undefined) or (cmk_hosts_list | length == 0)

- name: set values for CMK Helm chart values
  set_fact:
    cmk_image: "{{ registry_local_address }}/cmk"
    cmk_tag: "{{ cmk_img_version }}"
  when:
    - inventory_hostname == groups['kube-master'][0]

- name: read ca cert
  command: cat ca.crt
  args:
    chdir: "/etc/kubernetes/ssl/"
  register: ca_cert
  when:
    - inventory_hostname == groups['kube-master'][0]

- name: load ca cert
  set_fact:
    caBundle_cert: "{{ ca_cert.stdout | b64encode }}"
  when:
    - inventory_hostname == groups['kube-master'][0]

- name: populate CMK Helm chart values template and push to controller node
  template:
    src: "helm_values.yml.j2"
    dest: "/usr/src/charts/cmk-values.yml"
    force: yes
    mode: preserve
  when:
    - inventory_hostname == groups['kube-master'][0]

# remove any preexisting configmaps before cmk redeployment
- name: remove any preexisting configmaps before CMK deployment
  command: kubectl delete cm cmk-config-{{ inventory_hostname }}
  when:
    - inventory_hostname in cmk_hosts_list.split(',')
  delegate_to: "{{ groups['kube-master']|first }}"
  failed_when: false

- name: install CMK helm chart
  command: helm upgrade --install cmk --namespace {{ cmk_namespace }} -f /usr/src/charts/cmk-values.yml /usr/src/charts/cpu-manager-for-kubernetes
  when:
    - inventory_hostname == groups['kube-master'][0]

- name: clean up any certs/key/CSR files
  file: path=/etc/ssl/cmk state=absent
  when: inventory_hostname == groups['kube-master'][0]
  failed_when: false
  become: yes