Rhel zero base config (#7284)

* New rhel-zero-base config for zero-touch and RHEL BU * Update README for rhel-zero-base * Update default_vars.yml --------- Co-authored-by: Alberto Gonzalez Rodriguez <[email protected]>
redhat-cop · Nov 1, 2023 · 0212e68 · 0212e68
1 parent 3ffdebe
commit 0212e68
Show file tree

Hide file tree

Showing 27 changed files with 1,388 additions and 0 deletions.
diff --git a/ansible/configs/rhel-zero-base/.yamllint b/ansible/configs/rhel-zero-base/.yamllint
@@ -0,0 +1,12 @@
+extends: default
+
+rules:
+  comments:
+    require-starting-space: false
+    min-spaces-from-content: 1
+  comments-indentation: disable
+  indentation:
+    indent-sequences: consistent
+  line-length:
+    max: 200
+    allow-non-breakable-inline-mappings: true
diff --git a/ansible/configs/rhel-zero-base/Makefile b/ansible/configs/rhel-zero-base/Makefile
@@ -0,0 +1,102 @@
+ENV_TYPE=rhel-zero-base
+CLOUD_PROVIDER=ec2
+SANDBOX=1
+
+# Adjust GUID to taste e.g. make deploy GUID=foo-01
+
+GUID=showroom0$(SANDBOX)
+OUTPUT_DIR=/tmp/output_dir/$(GUID)-$(CLOUD_PROVIDER)
+
+# TODO: ~/tmp seems to fail, related to accessing tha ssh file at least in aws's ping during post_infra
+# ~/tmp persists through reboots which can be useful
+# showroom0$(SANDBOX)
+
+PLAYBOOK_DIR=ansible
+
+# AWS Uses Sandbox creds typically
+
+SECRETS_DIR=~/secrets
+SECRETS_FILE=$(SECRETS_DIR)/secrets-showroom-sandbox0$(SANDBOX).yaml
+
+#SECRETS_ANSIBLE_VAULT_PASSWORD_FILE=$(SECRETS_DIR)/secret-ansible-vault-babylon-gpte_vault_0
+#SECRETS_BOOKBAG=~/secrets/bookbag-shared-410.yaml
+
+VARS_DIR=~/vars
+VARS_FILE=$(VARS_DIR)/vars-showroom-$(CLOUD_PROVIDER)-sandbox0$(SANDBOX).yaml
+
+TARGET ?= bastion
+EXTRA_ARGS=
+USER_EXTRA_ARGS=
+# Adjust to taste
+
+: ## TIP! make supports tab completion with *modern* shells e.g. zsh etc
+: ## e.g. make depl<TAB> == make deploy 
+: ## 
+
+.SILENT: setup my-env ssh-target
+
+help: ## Show this help - technically unnecessary as `make` alone will do
+	@egrep -h '\s##\s' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-20s\033[0m %s\n", ($$2=="" ? "" : $$1 ),  $$2}' 
+
+# Thanks to victoria.dev for the above syntax
+# https://victoria.dev/blog/how-to-create-a-self-documenting-makefile/
+
+env: ## Confirm env setup
+	@echo "\n\nActivate a virtualenv if required\n"
+	@type python3
+	@printf "Python3 version is: "
+	@python3 --version
+	@type ansible
+	@ansible --version
+	@printf "ENV VARS containing ANSIBLE: "
+	@-env | grep ANSIBLE || echo "None"
+
+ansible-execute: ## Execute ansible-playbook with PLAYBOOK of choice
+	cd ../../.. ; \
+	mkdir -p $(OUTPUT_DIR); \
+	export ANSIBLE_LOG_PATH=$(OUTPUT_DIR)/$(ENV_TYPE)_$(GUID).log; \
+		ansible-playbook $(PLAYBOOK_DIR)/$(PLAYBOOK) \
+		-e @$(VARS_FILE) \
+		-e @$(SECRETS_FILE) \
+		-e output_dir=$(OUTPUT_DIR) \
+		-e env_type=$(ENV_TYPE) \
+		$(USER_EXTRA_ARGS) $(EXTRA_ARGS)
+
+deploy: ## Deploy normally with package updates etc (can be slow)
+	$(MAKE) ansible-execute PLAYBOOK=main.yml 
+
+deploy-fast: ## Deploy fast without package updates etc
+	$(MAKE) ansible-execute PLAYBOOK=main.yml EXTRA_ARGS="-e update_packages=false"	
+
+destroy: ## Destroy the config
+	$(MAKE) ansible-execute PLAYBOOK=destroy.yml
+
+user-data: ## Assumes an existing output_dir, outputs contenst of user-data.yaml
+	ansible-playbook rhdp.agnostic_utilities.agd_user_info.yml -e output_dir=$(OUTPUT_DIR) 
+
+ssh-target: ## ssh to your bastion by default or use `make ssh-target target=hostname` 
+	ssh -F $(OUTPUT_DIR)/$(ENV_TYPE)_$(GUID)_ssh_conf $(TARGET)
+
+
+ssh: ## ssh to your bastion by default or use `make ssh target=hostname` 
+	ssh -F $(OUTPUT_DIR)/$(ENV_TYPE)_$(GUID)_ssh_conf showroom@$(TARGET)
+
+last-status: ## Output last status file
+	ls -l $(OUTPUT_DIR)/status.txt
+	cat $(OUTPUT_DIR)/status.txt
+
+update-status: ## Update status file
+	$(MAKE) ansible-execute PLAYBOOK=lifecycle_entry_point.yml EXTRA_ARGS="-e ACTION=status"
+
+stop: ## Suspend, stop, instances
+	$(MAKE) ansible-execute PLAYBOOK=lifecycle_entry_point.yml EXTRA_ARGS="-e ACTION=stop"
+
+start: ## Start stopped instances
+	$(MAKE) ansible-execute PLAYBOOK=lifecycle_entry_point.yml EXTRA_ARGS="-e ACTION=start"
+
+bounce: ## Bounce the deploy IE stop then start
+bounce: stop start
+
+relog: ## Zero out the ANSIBLE_LOG_PATH log file
+	rm $(OUTPUT_DIR)/$(ENV_TYPE)_$(GUID).log
+
diff --git a/ansible/configs/rhel-zero-base/README.adoc b/ansible/configs/rhel-zero-base/README.adoc
@@ -0,0 +1,156 @@
+== Overview
+
+*rhel-user-base* is derived from `base-infra` config.
+It is optimized for creating environments/labs for RHEL work with Project Zero Touch
+
+* Support for validation plays
+* Support for local podman based services
+
+=== Cloud Support
+
+* AWS via `cloud_provider: ec2`
+* OCP V12N
+
+=== Architecture
+
+* Bastion host (with optional bookbag, showroom, or VSCode Server)
+
+It is designed to support Hybrid Cloud use. In other words the primary infrastructure can be deployed to AWS for example but the automation controller infrastructure could contain credentials allowing it to deploy subsequent infrastructure to other public or private loud infrastructures such as Azure, vSphere, OpenStack, GCP etc.
+
+To provide Hybrid Cloud use cases it is designed to be used in a *chained config* where this `config` simply deploys a simple foundation of AAP2 infrastructure and the Cloud Credentials come from, other, sandbox configs/deploys which are then injected by the `ent-demo-ate-binder`
+
+See the *Developer Notes* below for more details
+
+=== Basic Architecture and Overview
+
+This config uses a number of new roles, and patterns, that differ from older _Ansible Type_ configs:
+
+* New role `bastion-base` - lighter and less crufty than older roles, basically does less
+** Supports new packages list `agd_bastion_packages` simplifying bastion only packaging v `common_packages`
+** New role `user-create-ansible-service-account`
+
+* RedHat Enterprise Linux `bastion`
+
+== Developers Notes
+
+Tested and developed with:
+
+* Developed on
+** Ansible 2.14 - see sample_vars, coming to AgnosticD venvs soon, after optimizations (2023-02-28 [email protected])
+* Initial, depreciated, development on Ansible `2.11`
+** Venv `agnosticd-ansible-2.11-python-3.8`
+** Deployed with `ansible-playbook` (`2.11` as stated above)
+** i.e. at this time no work has been done to validate with `ansible-navigator`
+** or execution environments though little difficulty (and some gains) are anticipated
+* Makes fairly extensive use of software switches aka booleans etc
+** Please continue this trend so everything can be turned on and off simply by vars
+** `when: install_vscode_server | default(false) | bool`
+
+NOTE: At this writing, March 2023, the AgnosticD `ec2` cloud_provider *no longer* appears to use a number of depreciated or obsolete tasks. See configs `requirements.yaml` to ensure correct collections e.g. `amazon.aws` Laptop developers in particular may need to resolve Collections via `export ANSIBLE_COLLECTIONS_PATH=...` See *LIfecycle Notes* below for implications and why `config` *currently* needs its own `lifecycle.yml`
+
+=== Style etc.
+
+This `config` attempts to offload virtually all its work into roles and as a general guideline the
+configs playbooks (pre_, post etc) should primarily or even exclusively avoid embedding other tasks within the plays. IE these plays should try to limit themselves yo:
+
+. `import_role` or `include_role`
+. `set_fact`
+.  `agnosticd_user_info`
+
+Pretty much everything else should be a role, protected by a software switch `when: ... default(false) | bool`. It goes without saying these should all be FQCN e.g. `ansible.builtin.set_fact`
+
+=== Makefile
+
+An *optional* `Makefile` is provided as this self-documents how the config deploys from a laptop or similar. It is not an essential part of the process but is extremely useful, a simple `make` will list the functionality and modern shells should offer tab completion. Examples:
+
+* `make deploy|destroy`
+* `make ssh-bastion`
+
+=== Development *TIPS*
+
+* The `output_dir` inventory is *GOLD* and speeds up development:
+** e.g. `ansible-playbook role-wrapping-playbook-to-test.yml -i /tmp/output_dir/inventory_post_software.yaml -e @~/secrets/secret-aws-ate-no-sandbox.yml`
+* Use a virtualenv (venv) *For Now* EE support coming
+* Consider using ANSIBLE_COLLECTIONS_PATH to *hide* more up to date collections you may have installed
+** Can be an issue on laptop deployments e.g. you have _latest and greatest_ in`~/.ansible/collections`
+** Example, assumes you are in repo root dir: `export ANSIBLE_COLLECTIONS_PATH=$(pwd)/collections` 
+
+NOTE: In some places this config has started to introduce a `agd_` variable prefix e.g. `agd_install_common` instead of `install_common`. This is to avoid collisions and is arguably a superior practice.
+
+==== Mac Developer Notes
+
+Common Errors, issues
+
+[source,sh]
+----
+ fatal: [bastion.base-aap2-01.internal]: FAILED! => {"msg": "crypt.crypt not supported on Mac OS X/Darwin, install passlib python module. crypt.crypt not supported on Mac OS X/Darwin, install passlib python module"}
+----
+
+passlib error re crypt
+Fix: python3 -m pip install passlib
+
+
+Fix: If Python dep `PyGObject==3.42.2` fails to install then `brew install gobject-introspection` resolved it for [email protected]
+
+== Sample files
+
+* A _typical_ secrets file:
+
+[source,yaml]
+----
+---
+#
+# Set cloud provider here as these ties 100% to secrets
+#
+
+cloud_provider: ec2
+
+#
+# Sandbox creds 2022-07-20
+#
+
+aws_access_key_id:                              <YOUR-AWS-SANDBOX-KEY>
+aws_secret_access_key:                          <YOUR-AWS-SECRET-ACCESS-SANDBOX-KEY>
+subdomain_base_suffix:                          <subdomain from sandbox email, including leading `.`>
+
+#
+# Satellite Creds, use labsat-HA and dedicated activation key for isolation
+#
+
+repo_method:                                    satellite
+set_repositories_satellite_ha:                  true
+set_repositories_satellite_url:                 <YOUR-URL>
+set_repositories_satellite_org:                 <YOUR-ORG>
+set_repositories_satellite_activationkey:       <OBTAIN FROM YOUR ADMIN>
+
+...
+----
+
+=== Totally Optional File 
+
+Whilst developing I, Tony ([email protected]) basically setup my develop environment like this:
+
+. `workon agnosticd-ansible-2.11-python-3.8` # or however you manage venvs
+. `source tok-env.sh` in the root directory of AgnosticD
+
+* An example of my `tok-env.sh`:
+
+[source,bash]
+----
+export ANSIBLE_COLLECTIONS_PATH=/Users/tok/repos/agnosticd/repo/agnosticd/collections
+export ANSIBLE_LOG_PATH=/tmp/output_dir/ate-01
+export ANSIBLE_CONFIG=tok-ansible.cfg
+
+export MAKEFILE=$(pwd)/ansible/configs/ent-demo-ate-base/Makefile
+
+# old legacy config
+alias mk="make -f $MAKEFILE "
+----
+
+NOTE: The above is purely optional but should perhaps help others do laptop based deploys. Also after doing this you can simply `mk dep<TAB>` for example to do a deploy, or `mk ssh-b<TAB>` to ssh to a bastion
+
+=== Common Errors and Mistakes
+
+* Make sure you are using a supported venv and ansible version
+
+
diff --git a/ansible/configs/rhel-zero-base/default_vars.yml b/ansible/configs/rhel-zero-base/default_vars.yml
@@ -0,0 +1,83 @@
+---
+# default vars for base-infra
+# See README.adoc for full details
+
+env_type: rhel-user-base
+
+output_dir: "/tmp/output_dir/{{ guid }}"      # Writable working scratch directory
+project_tag: "{{ env_type }}-{{ guid }}"      # This var is used to identify stack (cloudformation, azure resourcegroup, ...)
+
+cloud_provider: ec2                           # Default to AWS
+
+email: "{{ env_type }}@opentlc.com"
+guid: "{{ env_type }}-01"
+uuid: "{{ guid }}"
+
+# Dump inventories to output_dir - very useful as a dev -i option
+
+agnosticd_inventory_exporter_enable: true # Dump inventory in output_dir
+
+# create one, or more, rhel users
+
+rhel_zero_users_create: true
+
+ansible_devops_user_ssh_config: ./files/ssh_config.j2
+
+# TODO: Get rid of this ^^^ after validating nothing useful is done
+# Software payload section - outmoded pattern
+
+  #software_to_deploy: none
+
+### Common Host settings
+
+# FTL Settings
+install_ftl: false
+  #ftl_use_python3: true
+
+# install_bastion: true
+
+agd_install_bastion_base: true
+agd_install_common: true
+
+# This is where the ssh_config file will be created, this file is used to
+# define the communication method to all the hosts in the deployment
+
+deploy_local_ssh_config_location: "{{ output_dir }}/"
+
+### If you want a Key Pair name created and injected into the hosts,
+# set `set_env_authorized_key` to true and set the keyname in `env_authorized_key`
+# you can use the key used to create the environment or use your own self generated key
+
+# agd_set_env_authorized_key: true
+
+set_env_authorized_key: true  #"{{ agd_set_env_authorized_key }}" # Role should default this
+env_authorized_key: "{{ guid }}key"
+ansible_ssh_private_key_file: ~/.ssh/{{ env_authorized_key }}.pem
+ansible_service_account_user_ssh_config: ssh_config.j2
+
+# TODO: Same for RHEL9 needed
+
+use_content_view: true
+
+common_packages_el8:
+
+  - bash-completion
+  - bind-utils
+  - python3.9
+  - vim-enhanced
+
+update_packages: true      # Do you want to run a full yum update
+
+agd_bastion_packages:
+
+  - at
+  - bash-completion
+  - bind-utils
+  - git
+  - python3.9
+  - python3-devel
+  - ripgrep
+  - tree
+  - vim-enhanced
+  - wget
+  - zsh