OCPV: Move to Route53 (#7520)

* Moving to Route53 * Moving to Route53 * Moving to Route53 * Moving to Route53 * Moving to Route53 * Update post_software.yml
redhat-cop · Dec 15, 2023 · 8a05005 · 8a05005
1 parent 6563fa0
commit 8a05005
Show file tree

Hide file tree

Showing 4 changed files with 93 additions and 5 deletions.
diff --git a/ansible/configs/ocp4-cluster/post_software.yml b/ansible/configs/ocp4-cluster/post_software.yml
@@ -18,10 +18,32 @@
     include_role:
       name: openshift_cluster_admin_service_account
 
+  - name: Create AWS credentials file with Route53 credentials for certificate renewals
+    when: '"ocp4_workload_le_certificates" in infra_workloads and route53_aws_zone_id is defined'
+    blockinfile:
+      dest: "~/.aws/credentials"
+      create: true
+      content: |
+        [default]
+        aws_access_key_id={{ route53_aws_access_key_id }}
+        aws_secret_access_key={{ route53_aws_secret_access_key }}
+
+
 # Deploy Workloads
 - name: Step 005.2 - Deploy Infra and Student Workloads
   import_playbook: workloads.yml
 
+- name: Step 005 - Remove AWS credentials
+  hosts: bastions
+  become: false
+  gather_facts: false
+  tasks:
+  - name: Remove AWS credentials file
+    when: '"ocp4_workload_le_certificates" in infra_workloads and route53_aws_zone_id is defined'
+    file:
+      path: "/home/{{ ansible_user }}/.aws/credentials"
+      state: absent
+
 - name: Showroom Install
   hosts: bastions
   gather_facts: false

diff --git a/ansible/roles/host-ocp4-assisted-destroy/tasks/main.yaml b/ansible/roles/host-ocp4-assisted-destroy/tasks/main.yaml
@@ -21,6 +21,7 @@
         wait_timeout: 300
 
     - name: Delete dns records
+      when: cluster_dns_server is defined
       ansible.builtin.nsupdate:
         server: >-
           {{ cluster_dns_server
@@ -39,6 +40,20 @@
         - "api"
         - "*.apps"
 
+    - name: DNS entry ({{ _dns_state | default('present') }})
+      when: route53_aws_zone_id is defined
+      route53:
+        state: absent
+        aws_access_key_id: "{{ route53_aws_access_key_id }}"
+        aws_secret_access_key: "{{ route53_aws_secret_access_key }}"
+        hosted_zone_id: "{{ route53_aws_zone_id }}"
+        record: "{{ item }}.{{ cluster_name }}"
+        zone: "{{ cluster_dns_zone  }}"
+        type: A
+      loop:
+        - "api"
+        - "*.apps"
+
     - name: Get a list of clusters
       rhpds.assisted_installer.list_clusters:
         offline_token: "{{ ai_offline_token }}"

diff --git a/ansible/roles/host-ocp4-assisted-installer/tasks/main.yaml b/ansible/roles/host-ocp4-assisted-installer/tasks/main.yaml
@@ -15,7 +15,7 @@
 
 - name: Set URLs for OpenShift GA releases (latest stable)
   when:
-  - (ocp4_installer_version | string).split('.') | length == 2
+    - (ocp4_installer_version | string).split('.') | length == 2
   set_fact:
     ocp4_client_url: >-
       {{ '{0}/ocp/stable-{1}/openshift-client-linux.tar.gz'.format(
@@ -78,6 +78,7 @@
           delay: 2
 
         - name: Add A dns record - masters
+          when: cluster_dns_server is defined
           ansible.builtin.nsupdate:
             server: >-
               {{ cluster_dns_server
@@ -93,8 +94,20 @@
             key_name: "{{ ddns_key_name }}"
             key_secret: "{{ ddns_key_secret }}"
 
+        - name: Add A dns record - masters
+          when: route53_aws_zone_id is defined
+          amazon.aws.route53:
+            state: present
+            aws_access_key_id: "{{ route53_aws_access_key_id }}"
+            aws_secret_access_key: "{{ route53_aws_secret_access_key }}"
+            hosted_zone_id: "{{ route53_aws_zone_id }}"
+            record: "api.{{ cluster_name}}.{{ cluster_dns_zone }}"
+            zone: "{{ cluster_dns_zone  }}"
+            value: "{{ full_svc_masters.resources[0].status.loadBalancer.ingress[0].ip }}"
+            type: A
 
         - name: Add A dns record - workers
+          when: cluster_dns_server is defined
           ansible.builtin.nsupdate:
             server: >-
               {{ cluster_dns_server
@@ -110,6 +123,18 @@
             key_name: "{{ ddns_key_name }}"
             key_secret: "{{ ddns_key_secret }}"
 
+        - name: Add A dns record - workers
+          when: route53_aws_zone_id is defined
+          amazon.aws.route53:
+            state: present
+            aws_access_key_id: "{{ route53_aws_access_key_id }}"
+            aws_secret_access_key: "{{ route53_aws_secret_access_key }}"
+            hosted_zone_id: "{{ route53_aws_zone_id }}"
+            record: "*.apps.{{ cluster_name}}.{{ cluster_dns_zone }}"
+            zone: "{{ cluster_dns_zone  }}"
+            value: "{{ full_svc_masters.resources[0].status.loadBalancer.ingress[0].ip }}"
+            type: A
+
     - name: Configure a full cluster
       when: worker_instance_count|int > 0
       block:
@@ -134,6 +159,7 @@
           delay: 2
 
         - name: Add A dns record - masters
+          when: cluster_dns_server is defined
           ansible.builtin.nsupdate:
             server: >-
               {{ cluster_dns_server
@@ -149,6 +175,18 @@
             key_name: "{{ ddns_key_name }}"
             key_secret: "{{ ddns_key_secret }}"
 
+        - name: Add A dns record - masters
+          when: route53_aws_zone_id is defined
+          amazon.aws.route53:
+            state: present
+            aws_access_key_id: "{{ route53_aws_access_key_id }}"
+            aws_secret_access_key: "{{ route53_aws_secret_access_key }}"
+            hosted_zone_id: "{{ route53_aws_zone_id }}"
+            record: "api.{{ cluster_name}}.{{ cluster_dns_zone }}"
+            zone: "{{ cluster_dns_zone  }}"
+            value: "{{ full_svc_masters.resources[0].status.loadBalancer.ingress[0].ip }}"
+            type: A
+
 
         - name: Add the service (type LoadBalancer) for Full Clusters - workers
           kubernetes.core.k8s:
@@ -171,6 +209,7 @@
           delay: 2
 
         - name: Add A dns record - workers
+          when: cluster_dns_server is defined
           ansible.builtin.nsupdate:
             server: >-
               {{ cluster_dns_server
@@ -186,6 +225,18 @@
             key_name: "{{ ddns_key_name }}"
             key_secret: "{{ ddns_key_secret }}"
 
+        - name: Add A dns record - workers
+          when: route53_aws_zone_id is defined
+          amazon.aws.route53:
+            state: present
+            aws_access_key_id: "{{ route53_aws_access_key_id }}"
+            aws_secret_access_key: "{{ route53_aws_secret_access_key }}"
+            hosted_zone_id: "{{ route53_aws_zone_id }}"
+            record: "api.{{ cluster_name}}.{{ cluster_dns_zone }}"
+            zone: "{{ cluster_dns_zone  }}"
+            value: "{{ full_svc_workers.resources[0].status.loadBalancer.ingress[0].ip }}"
+            type: A
+
     - name: Create OVN secondary network
       kubernetes.core.k8s:
         definition: "{{ lookup('ansible.builtin.template', 'templates/net-attach-def.yaml') }}"

diff --git a/ansible/roles_ocp_workloads/ocp4_workload_le_certificates/tasks/workload.yml b/ansible/roles_ocp_workloads/ocp4_workload_le_certificates/tasks/workload.yml
@@ -34,8 +34,8 @@
         API: {{ ocp4_workload_le_certificates_api_hostname }},
         Wildcard Domain: {{ r_ingress_controller.resources[0].status.domain }}
 
-  - name: Get Certificates for AWS
-    when: cloud_provider == "ec2"
+  - name: Get Certificates for AWS or OpenShift Virtualization
+    when: cloud_provider in ["ec2","openshift_cnv"]
     block:
     # /home/{{ ansible_user }}/.aws/credentials needs to exist before calling this role
     - name: Create Let's Encrypt Certificates for AWS
@@ -110,8 +110,8 @@
       - _certbot_cron_job_name: LETS_ENCRYPT_RENEW
       - use_python3: "{{ all_use_python3 | default(true) | bool }}"
 
-  - name: Get Certificates for OpenStack or OpenShift Virtualization
-    when: cloud_provider in ["osp","openshift_cnv"]
+  - name: Get Certificates for OpenStack
+    when: cloud_provider in ["osp"]
     block:
     - name: Copy credentials to host temporarily
       template: