Latest

.gitignore

@@ -0,0 +1 @@
+*.retry

README.md

@@ -0,0 +1,90 @@
+# openshift4-ansible
+
+This playbook creates the OpenShift 4 UPI (User provided
+Infrastructure) on AWS into an existing VPC with existing private and
+public subnets and DNS Zones.
+
+It is also possible to deploy the API server without exposing it to
+the Internet, this will require that the host that runs this Ansible
+playbook can access the VPC subnets.
+
+The Cloudformation templates are based on these:
+https://github.com/openshift/installer/tree/master/upi/aws/cloudformation
+
+Some information has to be provided. Mainly information about your AWS
+VPC, your subnets etc. See `inventory/group_vars/all`
+
+
+## Setup
+
+Create an administrative IAM user to perform the install.
+See https://github.com/openshift/installer/blob/master/docs/user/aws/iam.md
+
+This user can be removed after the installation
+
+To set up a bastion host follow these steps:
+
+Start with a RHEL7 Instance.
+
+Become root and install the needed tools:
+
+```bash
+sudo -i
+
+subscription-manager repos --enable rhel-7-server-ansible-2.8-rpms
+
+yum install -y ansible
+
+yum install -y \
+  https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
+
+yum -y install \
+  python2-boto python2-boto3 python2-simplejson
+
+yum erase -y epel-release
+
+exit
+```
+
+With your own account, create ~/.aws/credentials with the following
+content, replacing the AWSKEY and AWSSECRETKEY with the right values
+from AWS.
+
+```
+[default]
+aws_access_key_id = AWSKEY
+aws_secret_access_key = AWSSECRETKEY
+```
+
+## Usage
+
+Modify `inventory/group_vars/all`.
+
+```bash
+ansible-playbook install-upi.yaml
+```
+
+To delete all AWS resources that were created for an OpenShift cluster, use the same `inventory/group_vars/all` that was used for the
+installation. In particular, the clustername has to match. You also need the `/tmp/CLUSTERNAME` directory that was created
+by the installation playbook.
+
+```bash
+ansible-playbook uninstall-upi.yaml
+```
+
+### Disk Encryption
+
+To enable encryption of the EBS volumes attached to the master and worker nodes, the RHCOS AMI needs to be copied before 
+the installation is started. This can be done by running
+
+```bash
+ansible-playbook create-encrypted-ami.yaml
+```
+
+The playbook uses the AMI ID `rhcos_ami` from `vars.yaml` as the
+source and creates a private AMI that is identical to the source AMI,
+except that disk encryption is enabled.
+
+install-upi.yaml looks for a private AMI created by
+`create-encrypted-ami.yaml`. If none is found, it uses AMI ID
+`rhcos_ami` from `inventory/group_vars/all`.

ansible.cfg

@@ -0,0 +1,7 @@
+[defaults]
+inventory               = inventory
+host_key_checking       = False
+retry_files_enabled     = False
+callback_whitelist      = profile_tasks
+forks                   = 20
+interpreter_python      = auto_silent

create-encrypted-ami.yaml

@@ -0,0 +1,49 @@
+---
+- name: Create encrypted AMI image
+  gather_facts: false
+  hosts: localhost
+  tasks:
+    - name: Get unencrypted RCOS AMI
+      ec2_ami_facts:
+        filters:
+          image-id: "{{ rhcos_ami }}"
+        region: "{{ region }}"
+      register: ami_unencrypted
+
+    - name: Get previous encrypted RHCOS AMI
+      ec2_ami_facts:
+        filters:
+          "tag:rhcos_version": "{{ rhcos_version }}"
+          "tag:latest_ami": 'true'
+        region: "{{ region }}"
+      register: ami_encrypted_old
+
+    - name: Update latest_ami tag for previous encrypted AMIs
+      ec2_ami:
+        image_id: "{{ item.image_id }}"
+        region: "{{ region }}"
+        tags:
+          latest_ami: 'false'
+      loop: "{{ ami_encrypted_old.images }}"
+
+    - name: Copy unencrypted RHCOS AMI and enable encryption
+      ec2_ami_copy:
+        source_image_id: "{{ rhcos_ami }}"
+        source_region: "{{ region }}"
+        name: "{{ ami_unencrypted.images[0]['name'] ~ '-encrypted' }}"
+        region: "{{ region }}"
+        encrypted: true
+        tags:
+          rhcos_version: "{{ rhcos_version }}"
+          latest_ami: 'true'
+      register: ami_encrypted
+
+    - name: Wait for encrypted RHCOS AMI to become available
+      ec2_ami_facts:
+        image_ids: "{{ ami_encrypted.image_id }}"
+        region: "{{ region }}"
+      register: ami_check
+      until: ami_check.images[0].state == 'available'
+      retries: 60
+      delay: 10
+...

files/LDAPsecret.yaml.j2

@@ -0,0 +1,7 @@
+apiVersion: v1
+data:
+  bindPassword: "{{ ldap_bindPassword | b64encode }}"
+kind: Secret
+metadata:
+  namespace: openshift-config
+  name: "{{ ldap_secret_name }}"

files/Oauth.yaml.j2

@@ -0,0 +1,30 @@
+apiVersion: config.openshift.io/v1
+kind: OAuth
+metadata:
+  name: cluster
+spec:
+  identityProviders:
+  # This provider name is prefixed to the returned user ID to form an identity name:
+  - name: "{{ ldap_idp_name }}"
+    # Controls how mappings are established between this provider’s identities and user objects:
+    mappingMethod: claim
+    type: LDAP
+    ldap:
+      attributes:
+        id:
+        - dn
+        email:
+        - mail
+        name:
+        - cn
+        preferredUsername:
+        - uid
+      bindDN: "{{ bindDN }}"
+      bindPassword:
+        name: "{{ ldap_secret_name }}"
+      # ca:
+        # name: ca-config-map1
+      # LDAP or LDAPS:
+      insecure: false
+      # An RFC 2255 URL which specifies the LDAP host and search parameters to use:
+      url: "{{ ldap_url }}"